CVE-2026-34244
Received Received - Intake
Server-Side Request Forgery in Weblate Pre-5.17 Allows Internal Access

Publication date: 2026-04-15

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34244
EUVD
EUVD-2026-23004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34244 is a Server-Side Request Forgery (SSRF) vulnerability in Weblate versions prior to 5.17. It affects the project-level machinery configuration feature, where a user with the "project.edit" permission can configure machine translation service URLs to point to arbitrary internal network addresses.

During the validation of these configurations, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This allows an attacker to induce the server to make requests to internal systems and partially read the response, which constitutes SSRF with partial response data exposure.

The vulnerability has been fixed in Weblate version 5.17. As a temporary workaround, administrators can limit available machinery services via the WEBLATE_MACHINERY setting to prevent exploitation.

Impact Analysis

This vulnerability allows an attacker with limited privileges (project.edit permission) to make the Weblate server send HTTP requests to arbitrary internal network addresses. This can lead to unauthorized access to internal services that are not normally exposed externally.

Additionally, the attacker can see up to 200 characters of the response from these internal requests, potentially exposing sensitive information from internal systems.

The CVSS score of 5.0 indicates a moderate severity impact, with low complexity and no need for user interaction, but it can compromise confidentiality to some extent.

Detection Guidance

This vulnerability involves a user with project.edit permission configuring machine translation service URLs to arbitrary internal network addresses, which triggers HTTP requests during configuration validation. Detection can focus on monitoring HTTP requests made by Weblate to unusual or internal network addresses, especially those triggered by configuration changes.

You can check Weblate logs for HTTP requests to internal or unexpected URLs during machinery configuration validation. Additionally, monitoring error messages that reflect up to 200 characters of response bodies may indicate exploitation attempts.

While no specific commands are provided in the resources, general network monitoring tools like tcpdump or Wireshark can be used to capture outgoing HTTP requests from the Weblate server to internal IP ranges.

  • Use tcpdump to monitor HTTP requests from the Weblate server: tcpdump -i <interface> 'tcp port 80 or 443'
  • Check Weblate application logs for error messages containing partial response data from HTTP requests during machinery configuration.
  • Audit user permissions to identify users with project.edit permission who might configure machinery URLs.
Mitigation Strategies

The primary mitigation is to upgrade Weblate to version 5.17 or later, where this vulnerability has been fixed.

If immediate upgrading is not possible, limit the available machinery services by configuring the WEBLATE_MACHINERY setting to restrict allowed URLs, preventing SSRF exploitation.

Additionally, restrict the project.edit permission to trusted users only, as this permission enables configuration of machine translation service URLs.

The fix also includes limiting allowed URLs to public URLs by default to reduce SSRF risk.

Compliance Impact

The vulnerability in Weblate prior to version 5.17 allows a user with project.edit permission to perform Server-Side Request Forgery (SSRF), which can lead to exposure of up to 200 characters of response data from internal network addresses.

This exposure of sensitive information to unauthorized actors (CWE-200) could potentially impact compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding sensitive data and preventing unauthorized access or disclosure.

However, the confidentiality impact is rated low (CVSS 5.0, C:L), and the vulnerability does not affect integrity or availability.

Organizations using affected versions should upgrade to Weblate 5.17 or apply mitigations like limiting machinery services via the WEBLATE_MACHINERY setting to reduce risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart