CVE-2026-33220
Unauthorized Access via Translation Memory API in Weblate
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate prior to version 5.17 allows unauthorized local file reads outside the intended repository directory, exposing sensitive information to unauthorized actors. This exposure of sensitive information (classified under CWE-200) can potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.
Since the vulnerability results in a high confidentiality impact by allowing attackers to access sensitive files without proper authorization, organizations using affected versions of Weblate may face risks related to unauthorized data disclosure, which is a critical compliance concern under these standards.
The fix introduced in version 5.17, including strict validation of local file paths and remote URLs, mitigates these risks by enforcing proper access control and preventing unauthorized file access, thereby helping maintain compliance with such regulations.
Can you explain this vulnerability to me?
CVE-2026-33220 is a vulnerability in Weblate versions prior to 5.17 where the translation memory API exposed unintended endpoints that did not perform proper access control.
This flaw allows attackers to perform arbitrary local file reads outside the intended repository directory due to improper sanitization of external input used to construct file pathnames, leading to path traversal.
The issue is classified under CWE-22 (Path Traversal) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
The vulnerability was fixed in version 5.17 by implementing strict validation of local file paths and remote URLs, enforcing domain allowlisting and preventing unsafe repository file access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read arbitrary local files outside the intended repository directory, potentially exposing sensitive information.
The attack requires network access, low privileges, and some user interaction, but can lead to a high confidentiality impact by exposing sensitive data.
There is no impact on data integrity or availability, but unauthorized disclosure of sensitive information can have serious consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the translation memory API exposing unintended endpoints that allow arbitrary local file reads due to improper access control and path traversal issues.
To detect this vulnerability on your system or network, you can monitor for unusual or unauthorized access attempts to the translation memory API endpoints, especially requests attempting to access files outside the intended repository directory.
Since the issue is related to path traversal, you can look for HTTP requests containing suspicious path traversal patterns such as "../" or encoded variants in URLs targeting the Weblate service.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic to the Weblate server and filter for suspicious requests.
- Example command to capture HTTP requests containing path traversal attempts: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -iE '\.\./|%2e%2e'`
- Check Weblate server logs for requests with path traversal patterns or access to unexpected files.
- If possible, use application-level logging or debugging to identify calls to the translation memory API that access files outside the repository.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Weblate to version 5.17 or later, where the vulnerability has been fixed by implementing strict validation of local file paths and remote URLs.
If immediate upgrade is not possible, you can disable the CDN add-on feature, as it is not enabled by default and is the component affected by this vulnerability.
Additionally, restrict access to the translation memory API endpoints by applying network-level controls such as firewall rules or access control lists to limit who can reach these endpoints.
Monitor logs for suspicious activity and consider temporarily disabling or restricting features that allow external input for file path construction.