Description
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1.
Published: 2026-05-07
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weblate’s API tokens, which are prefixed with “wlu_”, are not automatically revoked when a user changes their password. The existing browser sessions are invalidated correctly, but the tokens stored in the authtoken_token table continue to be valid. This flaw allows an attacker who has an active token before the password change to keep using that token for API calls after the account password has been updated. The vulnerability is a session‑fixation flaw and is classified as CWE‑613.

Affected Systems

Users running Weblate versions earlier than 5.17.1 are affected. All releases that contain the authtoken_token table with unrevoked API tokens are vulnerable, and the issue was patched in the 5.17.1 release. The product is the Weblate web‑based localization platform provided by WeblateOrg.

Risk and Exploitability

The CVSS score for this vulnerability is 4.2, indicating a medium impact. EPSS information is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw enables continued use of an API token after a password change, the likely attack vector is remote API exploitation; an attacker who has obtained or guessed a token before the password change can keep accessing the Weblate instance. The risk is moderate, but production deployments with exposed APIs or users who share long‑term tokens should address the issue promptly.

Generated by OpenCVE AI on May 7, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.17.1 or later, which automatically revokes all API tokens when a password is changed.
  • If an upgrade is not possible, manually delete or rotate all existing API tokens for users who have recently changed their passwords.
  • Audit API token logs for unusual activity and revoke any tokens that appear to be in use after a password change.

Generated by OpenCVE AI on May 7, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6j8j-4qp3-36p2 Weblate Doesn't Invalidate API Token on Password Change
History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1.
Title Weblate's API Token Not Invalidated on Password Change
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:45:40.554Z

Reserved: 2026-04-20T18:18:50.682Z

Link: CVE-2026-41519

cve-icon Vulnrichment

Updated: 2026-05-07T14:45:35.982Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T15:16:07.160

Modified: 2026-05-07T15:46:27.607

Link: CVE-2026-41519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses