Weblate Doesn't Invalidate API Token on Password Change

Impact

When a user changes their password, browser sessions are correctly invalidated via cycle_session_keys(), but DRF API tokens (wlu_* prefix) stored in authtoken_token are not revoked.

Patches

WeblateOrg/weblate#19057

Resources

Weblate thanks Sang Yu Jeon for reporting this via GitHub.

References

nijel published to WeblateOrg/weblate Apr 30, 2026

Published to the GitHub Advisory Database Apr 30, 2026

Reviewed Apr 30, 2026

Last updated Apr 30, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Resources

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

Insufficient Session Expiration

CVE ID

GHSA ID

Source code

Credits

Uh oh!