CVE-2026-33220
Received Received - Intake
Unauthorized Access via Translation Memory API in Weblate

Publication date: 2026-04-15

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33220
EUVD
EUVD-2026-23000
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Weblate prior to version 5.17 allows unauthorized local file reads outside the intended repository directory, exposing sensitive information to unauthorized actors. This exposure of sensitive information (classified under CWE-200) can potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Since the vulnerability results in a high confidentiality impact by allowing attackers to access sensitive files without proper authorization, organizations using affected versions of Weblate may face risks related to unauthorized data disclosure, which is a critical compliance concern under these standards.

The fix introduced in version 5.17, including strict validation of local file paths and remote URLs, mitigates these risks by enforcing proper access control and preventing unauthorized file access, thereby helping maintain compliance with such regulations.

Executive Summary

CVE-2026-33220 is a vulnerability in Weblate versions prior to 5.17 where the translation memory API exposed unintended endpoints that did not perform proper access control.

This flaw allows attackers to perform arbitrary local file reads outside the intended repository directory due to improper sanitization of external input used to construct file pathnames, leading to path traversal.

The issue is classified under CWE-22 (Path Traversal) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

The vulnerability was fixed in version 5.17 by implementing strict validation of local file paths and remote URLs, enforcing domain allowlisting and preventing unsafe repository file access.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary local files outside the intended repository directory, potentially exposing sensitive information.

The attack requires network access, low privileges, and some user interaction, but can lead to a high confidentiality impact by exposing sensitive data.

There is no impact on data integrity or availability, but unauthorized disclosure of sensitive information can have serious consequences.

Detection Guidance

This vulnerability involves the translation memory API exposing unintended endpoints that allow arbitrary local file reads due to improper access control and path traversal issues.

To detect this vulnerability on your system or network, you can monitor for unusual or unauthorized access attempts to the translation memory API endpoints, especially requests attempting to access files outside the intended repository directory.

Since the issue is related to path traversal, you can look for HTTP requests containing suspicious path traversal patterns such as "../" or encoded variants in URLs targeting the Weblate service.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic to the Weblate server and filter for suspicious requests.
  • Example command to capture HTTP requests containing path traversal attempts: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -iE '\.\./|%2e%2e'`
  • Check Weblate server logs for requests with path traversal patterns or access to unexpected files.
  • If possible, use application-level logging or debugging to identify calls to the translation memory API that access files outside the repository.
Mitigation Strategies

The primary mitigation is to upgrade Weblate to version 5.17 or later, where the vulnerability has been fixed by implementing strict validation of local file paths and remote URLs.

If immediate upgrade is not possible, you can disable the CDN add-on feature, as it is not enabled by default and is the component affected by this vulnerability.

Additionally, restrict access to the translation memory API endpoints by applying network-level controls such as firewall rules or access control lists to limit who can reach these endpoints.

Monitor logs for suspicious activity and consider temporarily disabling or restricting features that allow external input for file path construction.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart