Description
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.
Published: 2026-04-15
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: Unauthorized disclosure of pending task logs
Action: Upgrade
AI Analysis

Impact

Weblate’s tasks API failed to enforce proper access control before version 5.17, allowing users to retrieve logs for in‑progress operations that they were not permitted to see. The weakness is a classic improper access control flaw, CWE‑284. An attacker can exploit the flaw by guessing the random UUID of a pending task; however, the API rate limits reduce the likelihood of a successful brute‑force attempt, so the practical risk is low, but the confidentiality of work is still at risk.

Affected Systems

The affected product is Weblate, developed by the WeblateOrg community. All releases prior to 5.17 are vulnerable. The vulnerability was fixed in Weblate 5.17, which applies proper ACL checks against the owner and scope of pending tasks.

Risk and Exploitability

The CVSS score of 3.1 reflects a low‑severity impact. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation requires brute‑forcing a UUID through the public API, a costly activity mitigated by rate limiting, so the true exploitation probability is low. Nevertheless, unauthorized users could still view sensitive logs if they manage to guess a task identifier.

Generated by OpenCVE AI on April 16, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Weblate 5.17 or newer release to ensure proper access control is enforced in the tasks API.
  • Configure API authentication and enforce role‑based access control so only users with the appropriate scope can query pending tasks.
  • Enable or tighten rate limiting on the tasks API to slow down potential brute‑force attempts against UUIDs.

Generated by OpenCVE AI on April 16, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.
Title Weblate: Improper access control for pending tasks in API
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T18:09:01.991Z

Reserved: 2026-03-17T23:23:58.313Z

Link: CVE-2026-33212

cve-icon Vulnrichment

Updated: 2026-04-15T18:08:58.343Z

cve-icon NVD

Status : Received

Published: 2026-04-15T18:17:19.897

Modified: 2026-04-15T18:17:19.897

Link: CVE-2026-33212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses