CVE-2026-44263
Analyzed Analyzed - Analysis Complete
Path Traversal in Weblate Localization Tool

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44263
EUVD
EUVD-2026-28387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44263 is a vulnerability in Weblate, a web-based localization tool, affecting versions prior to 5.17.1. It allows unauthorized users to enumerate translations in projects they do not have access to via the screenshots, tasks, and component link APIs.

The issue arises because these APIs exposed translations and related resources without properly filtering based on user permissions, enabling attackers to infer the existence of private translations by observing API responses.

The vulnerability is classified as an information disclosure flaw (CWE-203) where the system's behavior reveals sensitive information through observable discrepancies in responses.

The problem was fixed in Weblate version 5.17.1 by modifying the API to apply user-accessible filters, ensuring that inaccessible resources return the same error responses as non-existent ones, thus preventing unauthorized enumeration.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to discover the existence of private translations and related resources in your Weblate projects that should be inaccessible.

While it does not allow modification or deletion of data, the information disclosure could lead to privacy concerns or aid attackers in gathering intelligence about your localization projects.

The CVSS score of 4.3 indicates a moderate severity with low attack complexity and low privileges required, but no impact on data integrity or availability.

Detection Guidance

This vulnerability involves unauthorized enumeration of private translations via Weblate's screenshot, tasks, and component link APIs by observing differences in API responses.

Detection can be performed by monitoring API requests to these endpoints and checking for unusual or unauthorized access patterns that reveal information about inaccessible translations.

Specifically, you can attempt to access the screenshot, tasks, or component link API endpoints with a user account that should not have access to certain projects or translations and observe if the API responses differ between accessible and inaccessible resources.

Commands to test this might include using curl or similar tools to send requests to these API endpoints and analyze the HTTP status codes and response content.

  • curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/screenshots/<id>/
  • curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/tasks/<id>/
  • curl -i -H "Authorization: Bearer <token>" https://<weblate-server>/api/component-links/<id>/

If the responses reveal existence of resources that should be inaccessible (e.g., different error codes or messages), this indicates the vulnerability is present.

Mitigation Strategies

The primary mitigation step is to upgrade Weblate to version 5.17.1 or later, where this vulnerability has been patched.

The patch ensures that API queries for screenshots, tasks, and component links only return information about resources accessible to the authenticated user, preventing unauthorized enumeration.

Until the upgrade can be applied, restrict access to the affected API endpoints to trusted users only, and monitor API usage for suspicious enumeration attempts.

Review and tighten user permissions to minimize exposure of sensitive translation data.

Compliance Impact

The vulnerability allows unauthorized users to enumerate private translations in Weblate projects through certain APIs, potentially exposing sensitive information that should be restricted.

Such unauthorized information disclosure could impact compliance with data protection standards and regulations like GDPR or HIPAA, which require strict controls on access to sensitive or private data.

By leaking information about inaccessible translations, the vulnerability may lead to violations of confidentiality requirements mandated by these regulations.

The issue was addressed in version 5.17.1 by restricting API responses to only include resources accessible to the user, thereby mitigating the risk of unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart