Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user.
Patches
- https://github.com/WeblateOrg/weblate/pull/19258
Acknowledgement
Weblate thanks Luay for reporting this vulnerability according to the organization's security issues guideline.
AnalysisAI
Weblate versions before 5.17.1 allow authenticated users to enumerate translations in projects they cannot access via the screenshots, tasks, and component link API endpoints. An attacker with valid credentials but no project access can probe these APIs to discover the existence and metadata of private translations, leading to information disclosure of project structure and language coverage that should remain hidden. The vulnerability requires authentication but has a low attack complexity, affecting confidentiality only without enabling further compromise.
Technical ContextAI
Weblate is a web-based collaborative translation platform. The vulnerability exists in multiple API serializers and views (weblate/api/serializers.py, weblate/api/views.py) that handle screenshots, tasks, and component links. The root cause (CWE-203: Observable Discrepancy) stems from insufficient access control checks before retrieving translation objects. The patch fixes the issue by filtering translation queries through the user's access control layer (Translation.objects.filter_access(user)) instead of performing unrestricted queries, ensuring that API responses do not leak existence or metadata of inaccessible translations. The vulnerability affects the pip package weblate distributed via PyPI.
RemediationAI
Vendor-released patch: Weblate 5.17.1. Upgrade all Weblate installations to version 5.17.1 or later, available via pip (pip install --upgrade weblate>=5.17.1). The patch is contained in GitHub PR #19258 and commit 6cf892c7bd50b667a65a99d716a90694f7d9f203. For organizations unable to upgrade immediately, restrict API access via network controls: disable or rate-limit the /api/screenshots/, /api/tasks/, and /api/component-links/ endpoints at the reverse proxy or firewall level, or implement strict authentication policies that prevent users without project permissions from obtaining API tokens. Note that these compensating controls may break legitimate API consumers who depend on these endpoints, so test thoroughly before deployment. The most practical interim mitigation for most deployments is to audit API access logs for suspicious enumeration attempts while scheduling the upgrade.
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28387
GHSA-gcg5-86jr-f7jg