CVE-2026-44263
Path Traversal in Weblate Localization Tool
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to discover the existence of private translations and related resources in your Weblate projects that should be inaccessible.
While it does not allow modification or deletion of data, the information disclosure could lead to privacy concerns or aid attackers in gathering intelligence about your localization projects.
The CVSS score of 4.3 indicates a moderate severity with low attack complexity and low privileges required, but no impact on data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized enumeration of private translations via Weblate's screenshot, tasks, and component link APIs by observing differences in API responses.
Detection can be performed by monitoring API requests to these endpoints and checking for unusual or unauthorized access patterns that reveal information about inaccessible translations.
Specifically, you can attempt to access the screenshot, tasks, or component link API endpoints with a user account that should not have access to certain projects or translations and observe if the API responses differ between accessible and inaccessible resources.
Commands to test this might include using curl or similar tools to send requests to these API endpoints and analyze the HTTP status codes and response content.
- curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/screenshots/<id>/
- curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/tasks/<id>/
- curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/component-links/<id>/
If the responses reveal existence of resources that should be inaccessible (e.g., different error codes or messages), this indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Weblate to version 5.17.1 or later, where this vulnerability has been patched.
The patch ensures that API queries for screenshots, tasks, and component links only return information about resources accessible to the authenticated user, preventing unauthorized enumeration.
Until the upgrade can be applied, restrict access to the affected API endpoints to trusted users only, and monitor API usage for suspicious enumeration attempts.
Review and tighten user permissions to minimize exposure of sensitive translation data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to enumerate private translations in Weblate projects through certain APIs, potentially exposing sensitive information that should be restricted.
Such unauthorized information disclosure could impact compliance with data protection standards and regulations like GDPR or HIPAA, which require strict controls on access to sensitive or private data.
By leaking information about inaccessible translations, the vulnerability may lead to violations of confidentiality requirements mandated by these regulations.
The issue was addressed in version 5.17.1 by restricting API responses to only include resources accessible to the user, thereby mitigating the risk of unauthorized data exposure.
Can you explain this vulnerability to me?
CVE-2026-44263 is a vulnerability in Weblate, a web-based localization tool, affecting versions prior to 5.17.1. It allows unauthorized users to enumerate translations in projects they do not have access to via the screenshots, tasks, and component link APIs.
The issue arises because these APIs exposed translations and related resources without properly filtering based on user permissions, enabling attackers to infer the existence of private translations by observing API responses.
The vulnerability is classified as an information disclosure flaw (CWE-203) where the system's behavior reveals sensitive information through observable discrepancies in responses.
The problem was fixed in Weblate version 5.17.1 by modifying the API to apply user-accessible filters, ensuring that inaccessible resources return the same error responses as non-existent ones, thus preventing unauthorized enumeration.