Weblate Doesn't Invalidate API Token on Password Change

GHSA-6j8j-4qp3-36p2 · CVE-2026-41519

Published Apr 30, 2026 · Modified May 8, 2026

Description

Impact

When a user changes their password, browser sessions are correctly invalidated via cycle_session_keys(), but DRF API tokens (wlu_* prefix) stored in authtoken_token are not revoked.

Patches

https://github.com/WeblateOrg/weblate/pull/19057

Resources

Weblate thanks Sang Yu Jeon for reporting this via GitHub.

References

WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41519
WEB https://github.com/WeblateOrg/weblate/pull/19057
WEB https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95
PACKAGE https://github.com/WeblateOrg/weblate
WEB https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes