Platform
python
Component
weblate
Fixed in
5.17.1
5.17
CVE-2026-33214 describes an unintended exposure of the translation memory API in Weblate due to missing access controls. This allows unauthorized access to sensitive translation data. The vulnerability impacts Weblate versions from 0.0.0 up to, but not including, version 5.17.0. A fix is available in Weblate 5.17.0.
The core impact of CVE-2026-33214 lies in the potential for unauthorized access to Weblate's translation memory data. An attacker could exploit this vulnerability to retrieve sensitive information stored within the translation memory, potentially including confidential project content, proprietary terminology, or even personally identifiable information (PII) if present in the translations. While the description doesn't explicitly detail lateral movement capabilities, successful data exfiltration could be a precursor to further attacks targeting the underlying systems or related data stores. The blast radius extends to any system utilizing Weblate for translation management, particularly those handling sensitive or regulated data.
This vulnerability was reported by ggamno via HackerOne and publicly disclosed on 2026-04-15. There is no indication of active exploitation campaigns or KEV listing at the time of writing. No public proof-of-concept exploits have been published, suggesting a relatively low immediate risk, but the ease of access control bypasses could change this.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33214 is upgrading to Weblate version 5.17.0 or later, which includes the necessary access control fixes. If an immediate upgrade is not feasible, a temporary workaround involves blocking access to the /api/memory/ endpoint in the HTTP server configuration. This effectively disables the vulnerable feature, preventing unauthorized access. Ensure your web server (e.g., Nginx, Apache) is configured to deny requests to this endpoint. After upgrading to version 5.17.0, verify the fix by attempting to access the /api/memory/ endpoint with an unauthorized user account; access should be denied.
Actualice Weblate a la versión 5.17 o posterior para solucionar la vulnerabilidad de control de acceso. Si no puede actualizar inmediatamente, bloquee el acceso a `/api/memory/` en su servidor HTTP para deshabilitar la funcionalidad de memoria de traducción.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33214 is a medium severity vulnerability in Weblate where the translation memory API lacked proper access controls, allowing unauthorized data access.
You are affected if you are using Weblate versions 0.0.0 through 5.16. Upgrade to 5.17.0 to mitigate the risk.
Upgrade to Weblate version 5.17.0 or later. As a temporary workaround, block access to the /api/memory/ endpoint in your HTTP server configuration.
There is currently no evidence of active exploitation, but the vulnerability's nature could make it a target.
Refer to the Weblate GitHub repository for updates and information: https://github.com/WeblateOrg/weblate/pull/18513
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.