CVE-2026-34244
Server-Side Request Forgery in Weblate Pre-5.17 Allows Internal Access
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate prior to version 5.17 allows a user with project.edit permission to perform Server-Side Request Forgery (SSRF), which can lead to exposure of up to 200 characters of response data from internal network addresses.
This exposure of sensitive information to unauthorized actors (CWE-200) could potentially impact compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding sensitive data and preventing unauthorized access or disclosure.
However, the confidentiality impact is rated low (CVSS 5.0, C:L), and the vulnerability does not affect integrity or availability.
Organizations using affected versions should upgrade to Weblate 5.17 or apply mitigations like limiting machinery services via the WEBLATE_MACHINERY setting to reduce risk and maintain compliance.
Can you explain this vulnerability to me?
CVE-2026-34244 is a Server-Side Request Forgery (SSRF) vulnerability in Weblate versions prior to 5.17. It affects the project-level machinery configuration feature, where a user with the "project.edit" permission can configure machine translation service URLs to point to arbitrary internal network addresses.
During the validation of these configurations, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This allows an attacker to induce the server to make requests to internal systems and partially read the response, which constitutes SSRF with partial response data exposure.
The vulnerability has been fixed in Weblate version 5.17. As a temporary workaround, administrators can limit available machinery services via the WEBLATE_MACHINERY setting to prevent exploitation.
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited privileges (project.edit permission) to make the Weblate server send HTTP requests to arbitrary internal network addresses. This can lead to unauthorized access to internal services that are not normally exposed externally.
Additionally, the attacker can see up to 200 characters of the response from these internal requests, potentially exposing sensitive information from internal systems.
The CVSS score of 5.0 indicates a moderate severity impact, with low complexity and no need for user interaction, but it can compromise confidentiality to some extent.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a user with project.edit permission configuring machine translation service URLs to arbitrary internal network addresses, which triggers HTTP requests during configuration validation. Detection can focus on monitoring HTTP requests made by Weblate to unusual or internal network addresses, especially those triggered by configuration changes.
You can check Weblate logs for HTTP requests to internal or unexpected URLs during machinery configuration validation. Additionally, monitoring error messages that reflect up to 200 characters of response bodies may indicate exploitation attempts.
While no specific commands are provided in the resources, general network monitoring tools like tcpdump or Wireshark can be used to capture outgoing HTTP requests from the Weblate server to internal IP ranges.
- Use tcpdump to monitor HTTP requests from the Weblate server: tcpdump -i <interface> 'tcp port 80 or 443'
- Check Weblate application logs for error messages containing partial response data from HTTP requests during machinery configuration.
- Audit user permissions to identify users with project.edit permission who might configure machinery URLs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Weblate to version 5.17 or later, where this vulnerability has been fixed.
If immediate upgrading is not possible, limit the available machinery services by configuring the WEBLATE_MACHINERY setting to restrict allowed URLs, preventing SSRF exploitation.
Additionally, restrict the project.edit permission to trusted users only, as this permission enables configuration of machine translation service URLs.
The fix also includes limiting allowed URLs to public URLs by default to reduce SSRF risk.