CVE-2026-33417
Published: 24 March 2026
Summary
CVE-2026-33417 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Wallosapp Wallos. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires refreshing authenticators at their maximum lifetime, directly preventing password reset tokens from remaining valid indefinitely.
SI-2 mandates timely flaw remediation, such as patching the token validation logic flaw fixed in Wallos version 4.7.2.
AU-3 requires audit records to include authentication events like password resets, enabling detection of misuse of intercepted old tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing web app password reset logic (non-expiring tokens) directly enables exploitation over network for account takeover via valid credentials.
NVD Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains…
more
valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2.
Deeper analysisAI
CVE-2026-33417 is a vulnerability in Wallos, an open-source, self-hostable personal subscription tracker, affecting versions prior to 4.7.2. The issue involves password reset tokens that never expire due to flawed validation logic. While the password_resets table includes a created_at timestamp column, the token validation does not check it, allowing a reset token to remain valid indefinitely until consumed. This flaw is classified under CWE-613 (Insufficient Session Expiration) with a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N).
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this by intercepting a password reset link sent to a victim, which requires high attack complexity (AC:H) such as man-in-the-middle interception or phishing to obtain the token. The attacker can then use the token at any future time—days, weeks, or months later—to complete the password reset process without further user interaction (UI:N). This grants high confidentiality impact (C:H) by potentially accessing the victim's account data and low integrity impact (I:L) by changing the password, enabling account takeover.
The vulnerability has been patched in Wallos version 4.7.2. Mitigation involves upgrading to this version or later. Additional details on the fix are provided in the GitHub commit at https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb and the security advisory at https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf.
Details
- CWE(s)