Skip to main content

Weblate CVE-2026-41519

MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-30 https://github.com/WeblateOrg/weblate GHSA-6j8j-4qp3-36p2
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 17:47 vuln.today
Analysis Generated
Apr 30, 2026 - 17:47 vuln.today
Analysis Generated
Apr 30, 2026 - 17:30 vuln.today
Patch released
Apr 30, 2026 - 17:30 nvd
Patch available
CVE Published
Apr 30, 2026 - 17:28 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

Impact

When a user changes their password, browser sessions are correctly invalidated via cycle_session_keys(), but DRF API tokens (wlu_* prefix) stored in authtoken_token are not revoked.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19057

Resources

Weblate thanks Sang Yu Jeon for reporting this via GitHub.

AnalysisAI

Weblate fails to revoke Django REST Framework API tokens when users change their passwords, allowing attackers with knowledge of a user's old credentials to continue accessing APIs indefinitely even after password changes. The vulnerability affects authenticated users on Weblate versions prior to 5.17.1 and requires high attack complexity due to the need for legitimate account access, but carries meaningful risk in multi-user translation environments where password compromise may go undetected.

Technical ContextAI

Weblate uses Django REST Framework's Token authentication system to issue persistent API tokens with the wlu_* prefix (or wlp_* for bot accounts) stored in the authtoken_token database table. The password change workflow correctly invalidates browser sessions via cycle_session_keys() but does not trigger token revocation in the DRF token store. This is a session management and token lifecycle issue rooted in CWE-613 (Insufficient Session Expiration), where a critical authentication artifact is not properly retired when credentials are updated. The fix implemented in commit 649a2da adds a reset_api_token() call during password save and introduces a user-facing checkbox to enable or disable API key regeneration, defaulting to enabled for security.

RemediationAI

Upgrade Weblate to version 5.17.1 or later immediately. The patch adds automatic API token regeneration during password changes with a user-accessible checkbox defaulting to enabled. Organizations unable to upgrade immediately should implement the following compensating controls: (1) Manually rotate all API tokens for users who have changed passwords since the vulnerability was introduced, using the Django admin or API management interface; (2) Disable API token authentication entirely if not actively used, restricting access to session-based authentication only; (3) Implement network-level restrictions on API endpoints, limiting exposure to trusted CI/CD systems and integrations; (4) Monitor API token usage logs for anomalous activity following user password changes, flagging tokens used more than a few minutes after password modification. Note that disabling tokens may break CI/CD pipelines or third-party integrations and requires testing before production deployment.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-41519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy