Executive Summary

CVE-2026-24126 is a vulnerability in Weblate versions prior to 5.16.0 related to the SSH management console. The issue arises because the console did not properly validate input when adding SSH host keys, which could lead to argument injection in the `ssh-add` command. This means that an attacker with access to the management console could inject malicious arguments into the SSH key addition process.

The vulnerability is classified under CWE-88, which involves improper neutralization of argument delimiters in a command, allowing command injection. The root cause was the lack of input validation on hostnames or IP addresses passed to SSH-related functions.

The issue was fixed in Weblate version 5.16.0 by introducing strict validation of hostnames and IP addresses using a `DomainOrIPValidator`, improving error handling, and refactoring the SSH key addition process to prevent injection.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have significant security impacts if exploited. Because it allows argument injection into the `ssh-add` command, an attacker with access to the SSH management console could execute arbitrary commands or manipulate SSH key handling.'}, {'type': 'paragraph', 'content': 'The CVSS 3.1 base score is 6.6, indicating a moderate severity. The attack requires network access and high privileges but no user interaction.'}, {'type': 'paragraph', 'content': "The confidentiality impact is high, meaning sensitive information could be exposed or compromised. Integrity and availability impacts are also noted as low to moderate, meaning the system's data or operations could be altered or disrupted."}, {'type': 'paragraph', 'content': 'As a mitigation, restricting access to the management console is recommended to reduce the risk of exploitation.'}] [3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper input validation in the SSH management console of Weblate prior to version 5.16.0, which could lead to argument injection in the ssh-add command.

To detect this vulnerability on your system, you can check the version of Weblate you are running. Versions prior to 5.16.0 are vulnerable.

Since the issue is related to the SSH host key addition process, you can monitor or audit SSH host key additions or commands invoking ssh-add from the management console for suspicious or malformed input.

There are no explicit detection commands provided in the resources, but general steps include:

• Check the Weblate version: `weblate --version` or check the installed package version.
• Review logs related to SSH key management or the Weblate management console for unusual ssh-add command executions or errors.
• If possible, audit network traffic or command execution logs for injected arguments or unexpected ssh-add usage.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Weblate to version 5.16.0 or later, where the vulnerability has been fixed by adding strict input validation and improved error handling in the SSH host key management.

As an immediate workaround before upgrading, it is recommended to properly restrict access to the Weblate management console to trusted users only, limiting the risk of exploitation.

• Upgrade Weblate to version 5.16.0 or later.
• Restrict access to the SSH management console using network controls, authentication, or firewall rules.
• Monitor and audit SSH key additions and related logs for suspicious activity.

Useful 0 Not Useful 0