Description
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of all addon configurations
Action: Patch
AI Analysis

Impact

The vulnerability in Weblate’s REST API allows a user to retrieve every addon configuration in the system, regardless of their project membership or permissions. Because the AddonViewSet uses an unfiltered queryset, any authenticated user can issue GET requests to /api/addons/ and /api/addons/{id}/ to obtain confidential addon data. The exposure threatens privacy and could serve as groundwork for further exploitation, as addon configurations may reference sensitive environment variables or connection strings. This represents a medium severity information‑disclosure flaw (CWE‑200 and CWE‑862).

Affected Systems

Weblate installations running any version prior to 5.16.1 are affected. This includes the default release series Weblate 5.15 and earlier, which developers and site administrators might still be using. Updating to Weblate 5.16.1 or later eliminates the problem, as the API is then correctly scoped to the current user’s permissions.

Risk and Exploitability

The CVSS v3 score of 4.3 indicates moderate risk. EPSS is less than 1%, meaning active exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack path is straightforward: an attacker merely needs to authenticate to the application or rely on a misconfigured REQUIRE_LOGIN setting to obtain any user credentials, then perform simple GET requests to the /api/addons/ endpoint. Although the low exploitation probability reduces urgency, the potential for widespread data leakage warrants prompt remediation.

Generated by OpenCVE AI on April 17, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.16.1 or later, which limits the AddonViewSet queryset to enforce user permissions.
  • Modify server configuration to require authentication (set REQUIRE_LOGIN to true) so that only logged‑in users can access the API, thus preventing anonymous disclosure.
  • If an upgrade is not immediately possible, restrict access to the /api/addons/ endpoint using network firewall rules or reverse‑proxy authentication so that only trusted network segments or approved IP addresses can reach that endpoint.

Generated by OpenCVE AI on April 17, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wppc-7cq7-cgfv Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.
Title Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:39:37.771Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27457

cve-icon Vulnrichment

Updated: 2026-03-03T01:39:33.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T22:20:48.133

Modified: 2026-02-27T17:05:12.150

Link: CVE-2026-27457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses