CVE-2026-33417 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting Wallos, an open-source, self-hostable personal subscription tracker. In versions prior to 4.7.2, the password reset tokens generated and stored in the password_resets table include a created_at timestamp, but the token validation logic fails to check this timestamp for expiration. Consequently, password reset tokens remain valid indefinitely until they are used. This design flaw allows an attacker who manages to intercept a password reset link—via network interception, phishing, or other means—to reuse the token at any time in the future, even months later, to reset the victim's password and gain unauthorized access. The vulnerability does not require the attacker to be authenticated or for the user to interact with the attack beyond the initial interception. The CVSS v3.1 score is 6.5 (medium severity), reflecting the network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The issue has been addressed in Wallos version 4.7.2 by implementing proper expiration checks on password reset tokens, ensuring tokens are invalidated after a defined time window. No known exploits are reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized account takeover through exploitation of indefinitely valid password reset tokens. Attackers who intercept reset links can compromise user accounts, leading to exposure of personal subscription data and potentially sensitive user information. This breach of confidentiality can undermine user trust and violate privacy regulations. Although the integrity impact is low, attackers could change account credentials, indirectly affecting data integrity. Availability is not impacted. Organizations relying on Wallos for subscription management risk data breaches and account compromises if they run affected versions. The attack complexity is high due to the need to intercept tokens, but the lack of required authentication or user interaction increases risk. This vulnerability could be leveraged in targeted attacks or phishing campaigns, especially against high-value users or organizations using Wallos for sensitive subscription tracking.

Organizations should immediately upgrade Wallos installations to version 4.7.2 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement compensating controls such as: (1) monitoring and logging password reset requests and usage to detect anomalies; (2) enforcing additional verification steps during password resets, such as multi-factor authentication or out-of-band confirmation; (3) restricting network access to the Wallos instance to trusted IP ranges to reduce interception risk; (4) educating users about phishing risks and safe handling of password reset emails; (5) implementing TLS encryption for all communications to prevent token interception; and (6) periodically invalidating all outstanding password reset tokens manually if possible. Developers should review token management logic to ensure expiration is enforced and consider adopting industry best practices for session and token lifecycle management.