CVE-2026-40256
Path Traversal Bypass in Weblate Repository Validation Pre
Publication date: 2026-04-15
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Weblate versions prior to 5.17. The issue is related to how Weblate validates repository boundaries by checking if resolved absolute paths start with the repository root path string. This check uses a simple string prefix method (startswith) which is not aware of path segments. As a result, an attacker can bypass this validation if an external path shares the same string prefix as the repository path (for example, a path like 'repo_outside' can bypass checks intended for 'repo'). This allows access outside the intended repository boundaries.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from improper repository boundary validation in Weblate versions prior to 5.17, specifically due to prefix-based path checks that can be bypassed using crafted symlinks or junctions. To detect if your system is vulnerable, you should check the Weblate version in use and inspect repository paths for symlinks that point outside the intended repository directory.
A practical approach is to identify symlinks within your Weblate repositories and verify whether their resolved absolute paths lie outside the repository root. This can be done by listing symlinks and resolving their targets.
- Find all symlinks in the repository directory (replace /path/to/repo with your repository path): find /path/to/repo -type l -exec ls -l {} +
- For each symlink found, resolve its absolute path and check if it is outside the repository root. For example, using readlink and realpath: readlink -f /path/to/repo/symlink_name
- Compare the resolved path with the repository root path. If the resolved path is not within the repository root, this indicates a potential exploitation of the vulnerability.
Additionally, ensure your Weblate installation is updated to version 5.17 or later, where this issue has been fixed by enhanced path validation and symlink resolution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker or unauthorized user to bypass repository boundary checks and potentially access files or directories outside the intended repository. This could lead to unauthorized exposure of sensitive data or code, as the system mistakenly trusts paths that share a prefix with the repository root.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Weblate to version 5.17 or later where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Weblate prior to version 5.17 allows attackers to bypass repository boundary validation via crafted symlink or junction paths, potentially enabling unauthorized access to files outside the intended repository directory.
This unauthorized access could lead to exposure of sensitive data, which may impact compliance with data protection standards and regulations such as GDPR or HIPAA that require strict controls on data access and confidentiality.
However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.