CVE-2026-33214
Received Received - Intake
Unauthorized Access in Weblate Translation Memory API Prior to

Publication date: 2026-04-15

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33214
EUVD
EUVD-2026-22999
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33214 is an improper access control vulnerability in the translation memory API of Weblate versions prior to 5.17.

The API exposed unintended endpoints that did not enforce proper authorization checks, allowing users with low privileges to access and potentially modify translation memory data without sufficient permissions.

This issue was fixed in version 5.17 by restricting the API to read-only operations and disabling create and update endpoints.

As a temporary workaround, blocking access to the /api/memory/ endpoint on the HTTP server can prevent exploitation.

Impact Analysis

This vulnerability allows users with low privileges to modify translation memory data without proper authorization.

While it does not impact confidentiality or availability, it has a low impact on data integrity since unauthorized modifications can occur.

The vulnerability has a moderate severity score (CVSS 4.3) and can be exploited remotely without user interaction.

Detection Guidance

This vulnerability can be detected by checking if your Weblate instance exposes the /api/memory/ endpoint without proper access control.

You can use network scanning or HTTP request commands to test access to this endpoint.

  • Use curl to check if the endpoint is accessible: curl -i http://your-weblate-server/api/memory/
  • Use tools like nmap with HTTP scripts to detect exposed endpoints.
  • Monitor HTTP server logs for requests to /api/memory/ to identify unauthorized access attempts.
Mitigation Strategies

The immediate mitigation step is to block access to the /api/memory/ endpoint on your HTTP server.

This workaround disables the vulnerable translation memory API feature and prevents exploitation until you can update Weblate.

Ultimately, update Weblate to version 5.17 or later, where the vulnerability has been fixed by restricting the API to read-only operations.

Compliance Impact

The vulnerability in Weblate's translation memory API allows actors with low privileges to access and potentially modify translation memory data without proper authorization. While the CVE description and resources detail the improper access control and its fix, there is no explicit information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart