CVE-2026-22250
SSL Verification Bypass in Weblate CLI Before
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblateorg | wlc | to 1.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the wlc command-line client caused SSL certificate verification to be skipped for certain crafted URLs. The issue was due to improper hostname matching logic that used a string prefix check, which mistakenly allowed hostnames starting with '127.0.0.1' but not actually localhost to bypass SSL verification. This flaw allowed insecure connections by bypassing SSL certificate checks. It was fixed by replacing the prefix check with exact hostname matching to ensure proper SSL verification except for legitimate localhost addresses. [1, 2]
How can this vulnerability impact me? :
This vulnerability can expose users to man-in-the-middle attacks by allowing insecure connections where SSL certificate verification is improperly skipped. Although the severity is low, it can lead to a low confidentiality loss by exposing sensitive data during communication. There is no impact on integrity or availability. The attack requires local access, high complexity, low privileges, and user interaction. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SSL verification being skipped for certain crafted URLs in wlc versions prior to 1.17.0. Detection can involve checking the version of the wlc client installed on your system to see if it is older than 1.17.0. You can run commands like `wlc --version` or `pip show wlc` to determine the installed version. Additionally, monitoring network traffic for insecure SSL connections initiated by wlc could help detect exploitation attempts, but no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the wlc package to version 1.17.0 or later, where the SSL verification bypass issue is fixed. Until upgrading, avoid using untrusted wlc configurations that could cause insecure connections. Ensuring that SSL certificate validation is properly enforced and not bypassed is critical. [2]