Executive Summary

The vulnerability CVE-2026-41519 affects Weblate versions prior to 5.17.1. When a user changes their password, the browser sessions are properly invalidated, but API tokens with the prefix "wlu_*" stored in the authtoken_token table are not revoked. This means that even after a password change, old API tokens remain valid and could potentially be reused by an attacker.

This issue is classified under CWE-613 for insufficient session expiration, indicating that old session credentials or tokens are not properly invalidated. The vulnerability has a moderate severity with a CVSS score of 4.2, requires low privileges to exploit, has high attack complexity, and does not require user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to reuse old API tokens even after a password change. If an attacker has obtained or compromised an API token, they could continue to access your Weblate account or services through the API without needing your current password.

Because the API tokens are not revoked automatically upon password change, unauthorized access could persist, potentially leading to data exposure or unauthorized actions performed via the API.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves API tokens with the prefix "wlu_*" stored in the authtoken_token table not being revoked after a user changes their password. To detect this issue, you can check for active API tokens that remain valid after password changes.

One approach is to query the database table authtoken_token for tokens with the prefix "wlu_*" and verify if they are still active after password changes.

Example SQL command to list such tokens:

• SELECT * FROM authtoken_token WHERE token LIKE 'wlu_%';

Additionally, monitoring API usage logs for tokens that should have been revoked but are still in use can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Weblate to version 5.17.1 or later, where this vulnerability has been patched.

If immediate upgrade is not possible, manually revoke and regenerate API tokens with the prefix "wlu_*" for all users who have changed their passwords to ensure old tokens cannot be reused.

The patch introduces a default-enabled option to automatically regenerate API tokens during password changes or resets, so applying the update ensures this protection is in place.

Review and apply any helper utilities or scripts provided in the update to manage API tokens effectively.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability involves the failure to revoke API tokens when a user changes their password, which could allow continued unauthorized access using old tokens. Such insufficient session expiration and token revocation may increase the risk of unauthorized data access or compromise.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the issue relates to session and token management practices that are important for protecting personal and sensitive data under these regulations.

By not revoking API tokens upon password changes, there is a potential risk that unauthorized parties could maintain access to user data, which could be considered a failure to adequately protect data confidentiality and integrity as required by such regulations.

The patch in version 5.17.1 improves compliance posture by ensuring API tokens are revoked and regenerated during password changes, reducing the risk of unauthorized access and helping meet security best practices relevant to regulatory requirements.

Useful 0 Not Useful 0