Skip to main content

Weblate EUVDEUVD-2026-28387

| CVE-2026-44263 MEDIUM
Observable Discrepancy (CWE-203)
2026-05-07 https://github.com/WeblateOrg/weblate GHSA-gcg5-86jr-f7jg
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 00:32 vuln.today
Analysis Generated
May 07, 2026 - 00:32 vuln.today
CVE Published
May 07, 2026 - 00:03 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Impact

The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19258

Acknowledgement

Weblate thanks Luay for reporting this vulnerability according to the organization's security issues guideline.

AnalysisAI

Weblate versions before 5.17.1 allow authenticated users to enumerate translations in projects they cannot access via the screenshots, tasks, and component link API endpoints. An attacker with valid credentials but no project access can probe these APIs to discover the existence and metadata of private translations, leading to information disclosure of project structure and language coverage that should remain hidden. The vulnerability requires authentication but has a low attack complexity, affecting confidentiality only without enabling further compromise.

Technical ContextAI

Weblate is a web-based collaborative translation platform. The vulnerability exists in multiple API serializers and views (weblate/api/serializers.py, weblate/api/views.py) that handle screenshots, tasks, and component links. The root cause (CWE-203: Observable Discrepancy) stems from insufficient access control checks before retrieving translation objects. The patch fixes the issue by filtering translation queries through the user's access control layer (Translation.objects.filter_access(user)) instead of performing unrestricted queries, ensuring that API responses do not leak existence or metadata of inaccessible translations. The vulnerability affects the pip package weblate distributed via PyPI.

RemediationAI

Vendor-released patch: Weblate 5.17.1. Upgrade all Weblate installations to version 5.17.1 or later, available via pip (pip install --upgrade weblate>=5.17.1). The patch is contained in GitHub PR #19258 and commit 6cf892c7bd50b667a65a99d716a90694f7d9f203. For organizations unable to upgrade immediately, restrict API access via network controls: disable or rate-limit the /api/screenshots/, /api/tasks/, and /api/component-links/ endpoints at the reverse proxy or firewall level, or implement strict authentication policies that prevent users without project permissions from obtaining API tokens. Note that these compensating controls may break legitimate API consumers who depend on these endpoints, so test thoroughly before deployment. The most practical interim mitigation for most deployments is to audit API access logs for suspicious enumeration attempts while scheduling the upgrade.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-28387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy