Executive Summary

The vulnerability in Weblate involves improper validation of certain IP address ranges in the VCS_RESTRICT_PRIVATE setting. Specifically, Weblate did not correctly handle some transitional IPv6 ranges, multicast addresses, and semi-private IPv4 ranges, allowing these addresses to bypass restrictions meant to block private or restricted network endpoints.

An attacker could exploit this by using IPv6 addresses that wrap private IPv4 addresses (such as NAT64-wrapped addresses) to bypass outbound URL restrictions. This means that Weblate could be tricked into making unauthorized requests to internal or private network addresses.

The issue was due to the `ipaddress.IPv6Address.is_global` check incorrectly classifying some IPv6 addresses as globally routable when they actually contained private IPv4 addresses. The fix involved unwrapping these IPv6 transition formats to correctly identify and block private addresses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Server-Side Request Forgery (SSRF), where an attacker can cause the Weblate server to make unauthorized outbound requests to internal or restricted network addresses.

Such unauthorized requests could expose internal services or data that are not meant to be accessible externally, potentially leading to information disclosure or further exploitation within the internal network.

The vulnerability requires no privileges or user interaction to exploit, increasing the risk of unauthorized access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper validation of outbound URLs containing NAT64-wrapped internal addresses, allowing bypass of private range restrictions. Detection involves monitoring outbound requests from Weblate instances for unusual access to private or restricted IP ranges, especially those using IPv6 transition formats like NAT64.

Since the issue is related to Server-Side Request Forgery (SSRF) exploiting transitional IPv6 and semi-private IPv4 ranges, you can detect suspicious DNS AAAA records resolving to NAT64-wrapped private IPv4 addresses.

Suggested commands to help detect this vulnerability include:

• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound traffic from the Weblate server and filter for IPv6 addresses in the 64:ff9b::/96 NAT64 range.
• Query DNS records for hostnames used by Weblate to check for AAAA records that map to NAT64-wrapped private IPv4 addresses, for example using: `dig AAAA <hostname>`.
• On the Weblate server, review logs for outbound HTTP requests to private or restricted IP ranges, especially those that might be bypassing VCS_RESTRICT_PRIVATE restrictions.
• Use scripting or tools to parse and validate IP addresses in outbound URLs, ensuring that IPv6 transition addresses are correctly unwrapped and checked against private IP ranges.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Weblate to version 2026.6 or later, where this vulnerability has been patched.

Until the upgrade can be performed, consider restricting outbound network access from the Weblate server to prevent unauthorized requests to private or restricted IP ranges.

Review and tighten the VCS_RESTRICT_PRIVATE setting and any related outbound URL validation configurations to ensure they properly handle IPv6 transition addresses and private IP ranges.

Monitor Weblate logs and network traffic for suspicious outbound requests that may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the CVE-2026-50127 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0