Platform
python
Component
weblate
Fixed in
5.17.1
5.17
CVE-2026-33220 is a medium-severity vulnerability affecting Weblate versions 0.0.0 through 5.16. The translation memory API exposed unintended endpoints without proper access controls, potentially allowing unauthorized access to sensitive data. This issue has been resolved in version 5.17.0, and a CDN add-on workaround is available.
The core impact of CVE-2026-33220 lies in the exposure of Weblate's translation memory API endpoints without adequate access control mechanisms. An attacker could exploit this to potentially retrieve or manipulate translation data, including potentially sensitive content managed within Weblate projects. The extent of the data at risk depends on the specific data stored within the translation memories. While the description doesn't explicitly mention lateral movement, successful exploitation could lead to unauthorized access to other systems if Weblate is integrated with other services or if the attacker gains credentials through the exposed API.
CVE-2026-33220 was responsibly reported via GitHub by @spbavarva. As of the publication date (2026-04-15), there is no indication of active exploitation or KEV listing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a suitable payload is developed.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33220 is to upgrade Weblate to version 5.17.0 or later, which includes the necessary access control fixes. If an immediate upgrade is not feasible, consider enabling the CDN add-on, which is not enabled by default and can provide an additional layer of protection. Review Weblate's access control configuration to ensure that only authorized users have access to translation memories. After upgrading, confirm the fix by attempting to access the exposed API endpoints with unauthorized credentials and verifying that access is denied.
Actualice Weblate a la versión 5.17 o posterior para corregir la vulnerabilidad. Si no puede actualizar inmediatamente, desactive el complemento CDN para mitigar el riesgo, ya que no está habilitado por defecto.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33220 affects Weblate versions 0.0.0 through 5.16, exposing translation memory API endpoints without proper access control, potentially allowing unauthorized data access.
If you are running Weblate versions 0.0.0 through 5.16, you are potentially affected by this vulnerability. Upgrade to 5.17.0 to mitigate the risk.
Upgrade Weblate to version 5.17.0 or later. As a temporary workaround, enable the CDN add-on.
As of the publication date, there is no confirmed evidence of active exploitation of CVE-2026-33220.
Refer to the Weblate GitHub repository for updates and advisories: https://github.com/WeblateOrg/weblate/pull/18516
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.