Weblate CVE-2026-41519
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
When a user changes their password, browser sessions are correctly invalidated via cycle_session_keys(), but DRF API tokens (wlu_* prefix) stored in authtoken_token are not revoked.
Patches
- https://github.com/WeblateOrg/weblate/pull/19057
Resources
Weblate thanks Sang Yu Jeon for reporting this via GitHub.
AnalysisAI
Weblate fails to revoke Django REST Framework API tokens when users change their passwords, allowing attackers with knowledge of a user's old credentials to continue accessing APIs indefinitely even after password changes. The vulnerability affects authenticated users on Weblate versions prior to 5.17.1 and requires high attack complexity due to the need for legitimate account access, but carries meaningful risk in multi-user translation environments where password compromise may go undetected.
Technical ContextAI
Weblate uses Django REST Framework's Token authentication system to issue persistent API tokens with the wlu_* prefix (or wlp_* for bot accounts) stored in the authtoken_token database table. The password change workflow correctly invalidates browser sessions via cycle_session_keys() but does not trigger token revocation in the DRF token store. This is a session management and token lifecycle issue rooted in CWE-613 (Insufficient Session Expiration), where a critical authentication artifact is not properly retired when credentials are updated. The fix implemented in commit 649a2da adds a reset_api_token() call during password save and introduces a user-facing checkbox to enable or disable API key regeneration, defaulting to enabled for security.
RemediationAI
Upgrade Weblate to version 5.17.1 or later immediately. The patch adds automatic API token regeneration during password changes with a user-accessible checkbox defaulting to enabled. Organizations unable to upgrade immediately should implement the following compensating controls: (1) Manually rotate all API tokens for users who have changed passwords since the vulnerability was introduced, using the Django admin or API management interface; (2) Disable API token authentication entirely if not actively used, restricting access to session-based authentication only; (3) Implement network-level restrictions on API endpoints, limiting exposure to trusted CI/CD systems and integrations; (4) Monitor API token usage logs for anomalous activity following user password changes, flagging tokens used more than a few minutes after password modification. Note that disabling tokens may break CI/CD pipelines or third-party integrations and requires testing before production deployment.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6j8j-4qp3-36p2