weblate
Corrigido em
5.17.1
5.17
CVE-2026-33214 describes an unintended exposure of the translation memory API in Weblate due to missing access controls. This allows unauthorized access to sensitive translation data. The vulnerability impacts Weblate versions from 0.0.0 up to, but not including, version 5.17.0. A fix is available in Weblate 5.17.0.
The core impact of CVE-2026-33214 lies in the potential for unauthorized access to Weblate's translation memory data. An attacker could exploit this vulnerability to retrieve sensitive information stored within the translation memory, potentially including confidential project content, proprietary terminology, or even personally identifiable information (PII) if present in the translations. While the description doesn't explicitly detail lateral movement capabilities, successful data exfiltration could be a precursor to further attacks targeting the underlying systems or related data stores. The blast radius extends to any system utilizing Weblate for translation management, particularly those handling sensitive or regulated data.
This vulnerability was reported by ggamno via HackerOne and publicly disclosed on 2026-04-15. There is no indication of active exploitation campaigns or KEV listing at the time of writing. No public proof-of-concept exploits have been published, suggesting a relatively low immediate risk, but the ease of access control bypasses could change this.
Organizations relying on Weblate for translation management, particularly those handling sensitive or proprietary content, are at risk. This includes software development teams, localization agencies, and businesses with multilingual customer support operations. Shared hosting environments running Weblate are also at increased risk due to potential vulnerabilities in the hosting infrastructure.
• python / web: Examine Weblate access logs for unusual activity targeting /api/memory/. Use grep to search for requests from unauthorized IP addresses or user agents.
• generic web: Use curl to test access to /api/memory/ with different user roles. Expect 403 Forbidden responses for unauthorized users.
• generic web: Monitor Weblate's internal audit logs (if enabled) for suspicious API calls related to translation memory.
• python: Check Weblate's configuration files for any custom access control rules that might be overriding the default settings.
disclosure
Status do Exploit
EPSS
0.01% (percentil 2%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-33214 is upgrading to Weblate version 5.17.0 or later, which includes the necessary access control fixes. If an immediate upgrade is not feasible, a temporary workaround involves blocking access to the /api/memory/ endpoint in the HTTP server configuration. This effectively disables the vulnerable feature, preventing unauthorized access. Ensure your web server (e.g., Nginx, Apache) is configured to deny requests to this endpoint. After upgrading to version 5.17.0, verify the fix by attempting to access the /api/memory/ endpoint with an unauthorized user account; access should be denied.
Actualice Weblate a la versión 5.17 o posterior para solucionar la vulnerabilidad de control de acceso. Si no puede actualizar inmediatamente, bloquee el acceso a `/api/memory/` en su servidor HTTP para deshabilitar la funcionalidad de memoria de traducción.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33214 is a medium severity vulnerability in Weblate where the translation memory API lacked proper access controls, allowing unauthorized data access.
You are affected if you are using Weblate versions 0.0.0 through 5.16. Upgrade to 5.17.0 to mitigate the risk.
Upgrade to Weblate version 5.17.0 or later. As a temporary workaround, block access to the /api/memory/ endpoint in your HTTP server configuration.
There is currently no evidence of active exploitation, but the vulnerability's nature could make it a target.
Refer to the Weblate GitHub repository for updates and information: https://github.com/WeblateOrg/weblate/pull/18513
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.