Compliance Impact

The vulnerability allows unauthorized retrieval of user notification settings and enumeration of all users via the API, which could lead to exposure of personal data. This unauthorized access to user information may impact compliance with data protection regulations such as GDPR and HIPAA by violating principles of confidentiality and proper access control. The fix in version 5.15 improves access controls to prevent unauthorized data disclosure, thereby helping to maintain compliance with such standards. [1, 2]

Useful 0 Not Useful 0

Executive Summary

CVE-2025-67715 is a vulnerability in Weblate versions prior to 5.15 where insufficient access controls in the Weblate API allowed low-privileged attackers to retrieve user notification settings and list all users without proper authorization. This was due to improper permission checks in the API endpoints related to user management. The issue was fixed in version 5.15 by introducing fine-grained permission checks, including an 'allow_self' parameter to differentiate self-service actions from administrative ones, restricting user search to authenticated users, and tightening access to user notifications to prevent unauthorized data exposure. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to access confidential user information such as notification settings and to enumerate all users via the Weblate API. This exposure of user data compromises confidentiality but does not affect data integrity or availability. Unauthorized access to user notifications and user lists could lead to privacy breaches or information disclosure within your organization. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability, you can attempt to access the Weblate API endpoints related to user notifications and user listing without proper authentication or with low-privilege accounts. For example, try to list all users or retrieve notification settings via API calls without admin rights. Commands using curl might include: 1) Attempt to list users without authentication: curl -X GET https://<weblate-server>/api/users/ 2) Attempt to retrieve notification settings for other users: curl -X GET https://<weblate-server>/api/notifications/ -H 'Authorization: Bearer <low-privilege-token>' If these calls succeed in versions prior to 5.15, the system is vulnerable. After version 5.15, these endpoints require authentication and proper permissions, so unauthorized access should be denied. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Weblate to version 5.15 or later, where the vulnerability is fixed by enforcing proper access controls on the API. If upgrading immediately is not possible, restrict access to the Weblate API endpoints related to user management and notifications to trusted users only, and ensure that unauthenticated or low-privilege users cannot access these endpoints. Additionally, monitor API access logs for unauthorized attempts to list users or retrieve notifications. [1, 2]

Useful 0 Not Useful 0