Platform
python
Component
weblate
Fixed in
5.17.1
5.17
CVE-2026-34393 is a high-severity vulnerability affecting Weblate versions prior to 5.17. This issue stems from a lack of proper scope limitation within the user patching API endpoint. An attacker can leverage this to modify any translation within the Weblate instance, potentially compromising localization data and workflows. The vulnerability has been resolved in version 5.17.0.
The primary impact of CVE-2026-34393 is the unauthorized modification of translations within a Weblate instance. An attacker could inject malicious content, alter terminology, or introduce errors into localized materials. This could lead to reputational damage, legal liabilities, or functional issues for applications relying on the affected translations. The scope of the vulnerability is broad, as it allows modification of any translation regardless of project or language. This could impact a wide range of users and stakeholders involved in the localization process.
CVE-2026-34393 was publicly disclosed on 2026-04-15. Currently, there are no publicly known proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of exploitation and the potential impact.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34393 is to immediately upgrade Weblate to version 5.17.0 or later. If upgrading is not immediately feasible, consider implementing stricter access controls and authentication measures to limit access to the patching API endpoint. While not a complete solution, this can reduce the attack surface. Review Weblate's access control configuration to ensure only authorized users can modify translations. After upgrading, confirm the fix by attempting to access the patching API endpoint with an unauthorized user account and verifying that access is denied.
Update Weblate to version 5.17 or later to mitigate the privilege escalation vulnerability in the user API. This update corrects the lack of proper restrictions on the scope of edits, preventing unauthorized users from modifying sensitive data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34393 is a high-severity vulnerability in Weblate versions before 5.17, allowing unauthorized modification of translations due to insufficient scope limitations in the patching API.
Yes, if you are running Weblate versions 0.0.0 through 5.16, you are affected by this vulnerability and should upgrade immediately.
Upgrade Weblate to version 5.17.0 or later to resolve the vulnerability. If immediate upgrade is not possible, implement stricter access controls.
Currently, there are no publicly known active exploitation campaigns for CVE-2026-34393, but the ease of exploitation warrants immediate attention.
Refer to the official Weblate security advisory for detailed information and updates: [https://weblate.org/security/](https://weblate.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.