Vikunja vs Rize
Side-by-side trajectory, velocity, and editorial themes.
Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.
Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.
The arc moves from feature-completion (S3 storage, drag-and-drop project moves, hover previews in late 2025) toward platform credibility — closing security gaps a self-hosted task tool needs to clear before serious team adoption. The rapid version-number jump from v1.0.0-rc4 to v2.2.1 in two months suggests v1.0 shipped and the team tagged a v2 line aimed at addressing accumulated authz debt. Expect the next several releases to keep the security-first posture rather than return to a feature push.
The next release will likely continue closing remaining authz edges (more IDOR audits, additional credential-stripping in API responses) and bundle a translations and dependency sweep. A user-facing feature push probably waits until the security work plateaus.
Rize pivots from passive tracker to live, AI-queryable work data substrate.
Rize landed two directional moves in the last 30 days: live time-entry creation that replaces the previous batched-after-the-fact model, and a Beta MCP server that exposes time tracking data to Claude and ChatGPT for natural-language analysis. Around those, the team rebuilt the time-entry review panel and added an alternative Work Hours calculation that excludes break time the way most teams actually want. Cadence is high and the releases are coherent, not scattered.
The product is repositioning itself from 'passive tracker that classifies activity later' to 'live work-data platform other AI tools can read.' MCP integration signals Rize wants to be the data layer external assistants reach into, not a self-contained reporting app. The live-entries shift is the user-experience counterpart: data is current and editable in the moment instead of reconstructed later.
Expect the next moves to lean into the new substrate: manager-facing project-overrun alerts, budget-vs-actual dashboards, or richer outbound webhooks. A natural follow-on is broader MCP exposure (write-side actions, not just read), or a chat surface inside Rize itself.
See more alternatives to Vikunja →
See more alternatives to Rize →