CVE-2026-33417 MEDIUM

CVE-2026-33417: Wallos: Password Reset Tokens Never Expire

Vendor Ellite
Product Wallos
Weakness CWE-613 · Insufficient session expiration
Published March 24, 2026
Last update March 24, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 24, 2026 Record updated