CVE-2026-33440
Open Redirect Vulnerability in Weblate Before
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Weblate versions prior to 5.17 where the ALLOWED_ASSET_DOMAINS setting only applied to the first issued requests and did not restrict possible redirects. This means that after the initial request, redirects could occur to domains not allowed by the setting, potentially leading to unintended behavior or security risks.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing redirects to domains outside the allowed list after the first request. This could lead to security issues such as redirecting users to malicious sites or bypassing domain restrictions, which may compromise the integrity of the localization tool or expose users to phishing or other attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Weblate to version 5.17 or later, where the issue with the ALLOWED_ASSET_DOMAINS setting has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate prior to version 5.17 is an authenticated Server-Side Request Forgery (SSRF) issue that allows attackers to bypass domain restrictions via redirect chains. This could potentially lead to unauthorized access to internal or restricted resources.
However, the CVE description and resources do not provide specific information on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated Server-Side Request Forgery (SSRF) in Weblate versions prior to 5.17, where the ALLOWED_ASSET_DOMAINS setting does not restrict redirects to unauthorized domains.
To detect this vulnerability on your system, you should first verify the Weblate version in use. Versions prior to 5.17 are vulnerable.
You can check the Weblate version by running a command on the server hosting Weblate, for example:
- If Weblate is installed via pip, run: `weblate --version` or `pip show weblate`
- If Weblate is deployed via Docker, check the image tag or run: `docker exec <container_name> weblate --version`
To detect exploitation attempts or suspicious SSRF activity, monitor HTTP requests that upload URLs for screenshots and check if redirect chains lead to unauthorized domains beyond the ALLOWED_ASSET_DOMAINS whitelist.
Network monitoring tools or web application firewalls (WAF) can be configured to log and alert on outbound HTTP requests from the Weblate server to unexpected domains.
Specific commands depend on your environment, but example commands to monitor outbound connections include:
- Using tcpdump to capture outbound HTTP traffic: `tcpdump -i <interface> host <weblate_server_ip> and tcp port 80 or 443`
- Using netstat or ss to check active connections: `netstat -tnp | grep weblate` or `ss -tnp | grep weblate`
Additionally, reviewing Weblate application logs for URL upload requests and their redirect targets can help identify attempts to bypass domain restrictions.