Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Published: 2026-01-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via API Key Leak
Action: Patch
AI Analysis

Impact

The vulnerability resides in the Weblate command‑line client, wlc, which allows unscoped API keys to be configured. Unscoped keys are discouraged, but the code path remained present, enabling the key to be unintentionally forwarded to or observed by other servers. Exposure of an API key grants an attacker full API privileges, potentially allowing them to read, modify, or delete data in the Weblate instance. The weakness is identified as a confidentiality violation.

Affected Systems

Manufactured by WeblateOrg, the wlc client, versions prior to 1.17.0, contains this flaw. The affected packages are the command‑line client ‘wlc’ and any instance that relies on it to interact with Weblate’s REST API.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate range, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The flaw is not listed in the CISA Kennedylike Vulnerabilities catalog. The likely attack vector is misuse or misconfiguration of API keys within the client or inadvertent leakage to intermediate servers during API requests. Exploitation would require the attacker to obtain the leaked key, after which they could gain unauthorized access to the API endpoints.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wlc client to version 1.17.0 or later, where unscoped key support has been removed.
  • Replace any existing unscoped API keys with scoped keys that are limited to the necessary permissions.
  • Rotate API keys that may have been exposed and audit configuration files to ensure no residual unscoped keys remain.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rp8-h4g8-8766 Weblate wlc has insecure API key configuration
History

Tue, 27 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate wlc
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*
Vendors & Products Weblate
Weblate wlc

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblateorg
Weblateorg wlc
Vendors & Products Weblateorg
Weblateorg wlc

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Title wlc may leak API keys due to an insecure API key configuration
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Weblate Wlc
Weblateorg Wlc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:43:53.664Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22251

cve-icon Vulnrichment

Updated: 2026-01-12T18:43:24.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T18:15:49.457

Modified: 2026-01-27T20:35:05.300

Link: CVE-2026-22251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses