Skip to main content

Wlc CVE-2026-22251

MEDIUM
Information Exposure (CWE-200)
2026-01-12 security-advisories@github.com GHSA-9rp8-h4g8-8766
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Jan 27, 2026 - 20:35 nvd
Patch available
CVE Published
Jan 12, 2026 - 18:15 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

AnalysisAI

Wlc versions prior to 1.17.0 fail to restrict unscoped API keys, allowing them to be transmitted to unintended Weblate servers and potentially leaked to attackers with local access or through compromised credentials. A local attacker with user privileges could exploit this information disclosure to gain unauthorized access to Weblate instances across multiple servers. A patch is available in version 1.17.0 and later.

Technical ContextAI

Classified as CWE-200 (Information Exposure). Affects Wlc. wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

RemediationAI

A vendor patch is available — apply it immediately.

Share

CVE-2026-22251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy