CVE-2026-33214
Unauthorized Access in Weblate Translation Memory API Prior to
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33214 is an improper access control vulnerability in the translation memory API of Weblate versions prior to 5.17.
The API exposed unintended endpoints that did not enforce proper authorization checks, allowing users with low privileges to access and potentially modify translation memory data without sufficient permissions.
This issue was fixed in version 5.17 by restricting the API to read-only operations and disabling create and update endpoints.
As a temporary workaround, blocking access to the /api/memory/ endpoint on the HTTP server can prevent exploitation.
How can this vulnerability impact me? :
This vulnerability allows users with low privileges to modify translation memory data without proper authorization.
While it does not impact confidentiality or availability, it has a low impact on data integrity since unauthorized modifications can occur.
The vulnerability has a moderate severity score (CVSS 4.3) and can be exploited remotely without user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Weblate instance exposes the /api/memory/ endpoint without proper access control.
You can use network scanning or HTTP request commands to test access to this endpoint.
- Use curl to check if the endpoint is accessible: curl -i http://your-weblate-server/api/memory/
- Use tools like nmap with HTTP scripts to detect exposed endpoints.
- Monitor HTTP server logs for requests to /api/memory/ to identify unauthorized access attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to block access to the /api/memory/ endpoint on your HTTP server.
This workaround disables the vulnerable translation memory API feature and prevents exploitation until you can update Weblate.
Ultimately, update Weblate to version 5.17 or later, where the vulnerability has been fixed by restricting the API to read-only operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate's translation memory API allows actors with low privileges to access and potentially modify translation memory data without proper authorization. While the CVE description and resources detail the improper access control and its fix, there is no explicit information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.