Weblate Authentication Vulnerability in Web-Based Localization Tool
CVE-2026-41519

4.2MEDIUM

Key Information:

Vendor

Weblateorg

Status
Weblate
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41519?

The vulnerability in Weblate affects its authentication mechanism, where, prior to version 5.17.1, changing a user's password invalidates browser sessions but fails to revoke API tokens prefixed with 'wlu_*' stored in 'authtoken_token'. This means that even after a user updates their password, ongoing API sessions remain valid, posing a risk of unauthorized access. The issue has been addressed in version 5.17.1, ensuring that all token-based sessions are invalidated simultaneously with password changes, enhancing overall security for users.

Affected Version(s)

weblate < 5.17.1

References

https://github.com/WeblateOrg/weblate/security/advisories...
x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/19057
x_refsource_MISC
https://github.com/WeblateOrg/weblate/commit/649a2da81700...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.