CVE-2026-27457
Insecure Direct Object Reference in Weblate Addon API
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Weblate versions prior to 5.16.1 in the REST API's AddonViewSet. The issue is that the API uses a queryset that retrieves all addons without restricting the results based on user permissions. As a result, any authenticated user, or even anonymous users if login is not required, can list and access all addons across all projects and components.
How can this vulnerability impact me? :
The vulnerability allows unauthorized access to all addons in the Weblate system. This means that users can view addons they should not have access to, potentially exposing sensitive or private information related to various projects and components.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Weblate to version 5.16.1 or later, where the issue has been fixed.
Additionally, ensure that the REQUIRE_LOGIN setting is enabled to prevent anonymous users from accessing the API.