Weblate Password Change API Token Not Invalidated Vulnerability

A vulnerability exists in Weblate versions prior to 5.17.1, where API tokens are not revoked when a user changes their password. While browser sessions are invalidated, the Django Rest Framework (DRF) API tokens, which are stored in 'authtoken_token' and have a 'wlu_*' prefix, remain active. This oversight could lead to unauthorized access if the API token is compromised.

Impact

The vulnerability allows for API tokens to remain active and usable even after a user has changed their password, potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, change the password of a user account in Weblate version 5.17.0 or earlier. After the password is changed, the DRF API token associated with the account will not be revoked, allowing continued access via the API token despite the password change.

Remediation

Users can update to Weblate version 5.17.1, where this vulnerability has been patched. Instructions for updating can be found in the Weblate documentation.