CVE-2026-33212
Insecure Access Control in Weblate Tasks API Exposes Logs
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Weblate versions prior to 5.17, where the tasks API did not verify user access for pending tasks.
As a result, users without proper access could potentially view logs of in-progress operations by brute-forcing the random UUID of the task.
However, exploiting this vulnerability is unlikely due to the default API rate limits that restrict brute-force attempts.
The issue was fixed in version 5.17.
How can this vulnerability impact me? :
This vulnerability could allow unauthorized users to access logs of ongoing tasks that they should not have permission to see.
Such exposure might lead to information disclosure of sensitive or internal operational details.
However, the impact is limited by the difficulty of exploiting the vulnerability due to API rate limiting and the need to guess random UUIDs.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Weblate to version 5.17 or later, where the issue has been fixed.
Additionally, consider enforcing strict API rate limits and monitoring for unusual brute-force attempts targeting task UUIDs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate prior to version 5.17 allows unauthorized users to access logs of in-progress operations by exploiting the tasks API without proper access verification. This improper access control could potentially lead to unauthorized disclosure of sensitive information within the system.
Such unauthorized access to data may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require strict controls on access to personal or sensitive information to prevent data breaches.
However, exploitation is unlikely due to the need to brute-force random UUIDs under default API rate limits, and the confidentiality impact is rated low (CVSS 3.1 score 3.1). The issue has been fixed in version 5.17 by enforcing proper access control on pending tasks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to pending tasks in the Weblate API by guessing the random UUID of a task. Detection involves monitoring API requests for suspicious attempts to access task UUIDs, especially repeated or brute-force style requests to the tasks API endpoint.
You can detect potential exploitation attempts by analyzing your Weblate server logs for unusual access patterns to the tasks API, such as multiple failed attempts to retrieve tasks with different UUIDs.
Suggested commands to help detect such activity include:
- Using grep to find API calls to the tasks endpoint in Weblate access logs: grep "/api/tasks/" /path/to/weblate/access.log
- Counting unique IP addresses making requests to the tasks API: grep "/api/tasks/" /path/to/weblate/access.log | awk '{print $1}' | sort | uniq -c | sort -nr
- Detecting repeated requests with different UUIDs from the same IP (possible brute force): grep "/api/tasks/" /path/to/weblate/access.log | awk '{print $1, $7}' | sort | uniq -c | sort -nr
Additionally, monitoring for HTTP 403 or 404 responses from the tasks API endpoint may indicate access control enforcement or failed attempts to access unauthorized tasks.