Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized password reset leads to account takeover
Action: Immediate Patching
AI Analysis

Impact

The vulnerability allows an attacker who obtains a password reset token to reuse it indefinitely. The token never expires, so an intercepted link can be used regardless of the elapsed time. This gives the attacker permanent access to the targeted account, enabling full account takeover.

Affected Systems

The only affected software is the ellite:Wallos personal subscription tracker, before version 4.7.2. Vendors recommend upgrading to version 4.7.2 or newer to remove the flaw.

Risk and Exploitability

With a CVSS score of 6.5, the flaw carries moderate severity. The EPSS score indicates a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Attackers would typically need to intercept the reset link—e.g., by compromising email or an insecure network connection—to use it, after which the token remains valid and can be reused at any time.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.7.2 or later.
  • If upgrading is delayed, manually delete all records from the password_resets table to invalidate existing tokens.
  • Monitor reset logs to detect unusual activity and restrict access where appropriate.
  • Verify that password reset emails are transmitted over secure channels such as TLS to minimize interception risk.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.
Title Wallos: Password Reset Tokens Never Expire
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:37:53.873Z

Reserved: 2026-03-19T17:02:34.172Z

Link: CVE-2026-33417

cve-icon Vulnrichment

Updated: 2026-03-24T18:37:50.838Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T19:16:53.540

Modified: 2026-03-26T20:59:31.423

Link: CVE-2026-33417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:48Z

Weaknesses