CVE-2026-33440
Received Received - Intake
Open Redirect Vulnerability in Weblate Before

Publication date: 2026-04-15

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has been fixed in version 5.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33440
EUVD
EUVD-2026-23002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Weblate versions prior to 5.17 where the ALLOWED_ASSET_DOMAINS setting only applied to the first issued requests and did not restrict possible redirects. This means that after the initial request, redirects could occur to domains not allowed by the setting, potentially leading to unintended behavior or security risks.

Impact Analysis

The vulnerability can impact you by allowing redirects to domains outside the allowed list after the first request. This could lead to security issues such as redirecting users to malicious sites or bypassing domain restrictions, which may compromise the integrity of the localization tool or expose users to phishing or other attacks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Weblate to version 5.17 or later, where the issue with the ALLOWED_ASSET_DOMAINS setting has been fixed.

Compliance Impact

The vulnerability in Weblate prior to version 5.17 is an authenticated Server-Side Request Forgery (SSRF) issue that allows attackers to bypass domain restrictions via redirect chains. This could potentially lead to unauthorized access to internal or restricted resources.

However, the CVE description and resources do not provide specific information on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an authenticated Server-Side Request Forgery (SSRF) in Weblate versions prior to 5.17, where the ALLOWED_ASSET_DOMAINS setting does not restrict redirects to unauthorized domains.

To detect this vulnerability on your system, you should first verify the Weblate version in use. Versions prior to 5.17 are vulnerable.

You can check the Weblate version by running a command on the server hosting Weblate, for example:

  • If Weblate is installed via pip, run: `weblate --version` or `pip show weblate`
  • If Weblate is deployed via Docker, check the image tag or run: `docker exec <container_name> weblate --version`

To detect exploitation attempts or suspicious SSRF activity, monitor HTTP requests that upload URLs for screenshots and check if redirect chains lead to unauthorized domains beyond the ALLOWED_ASSET_DOMAINS whitelist.

Network monitoring tools or web application firewalls (WAF) can be configured to log and alert on outbound HTTP requests from the Weblate server to unexpected domains.

Specific commands depend on your environment, but example commands to monitor outbound connections include:

  • Using tcpdump to capture outbound HTTP traffic: `tcpdump -i <interface> host <weblate_server_ip> and tcp port 80 or 443`
  • Using netstat or ss to check active connections: `netstat -tnp | grep weblate` or `ss -tnp | grep weblate`

Additionally, reviewing Weblate application logs for URL upload requests and their redirect targets can help identify attempts to bypass domain restrictions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart