CVE-2026-33214 - Vulnerability Details

- Weblate has improper access control for the translation memory API

Description

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.

Published: 2026-04-15

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The translation memory API in Weblate enables developers and translators to store and retrieve translation suggestions across projects. Prior to version 5.17 the API exposed additional endpoints that omitted the required authorization checks. As a result, any authenticated user who could reach the endpoints could read or otherwise manipulate translation memory data, exposing potentially confidential translation strings and other sensitive information. This vulnerability is a missing authorization flaw, classified as CWE‑862.

Affected Systems

The issue affects installations of Weblate running any version earlier than 5.17. The vendor is WeblateOrg, product Weblate. The fix was introduced in 5.17 and later releases. No specific scoped version list is provided beyond the threshold.

Risk and Exploitability

The CVSS score is 4.3, placing it in the low‑moderate range. No EPSS data is available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Because the affected endpoints are exposed over HTTP, the likely attack vector is remote over the network. An attacker who gains network connectivity to the Weblate instance could exploit the exposure, potentially revealing confidential translation memory data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WeblateOrg

weblate

affected

Version	Status	Constraints
`< 5.17`	affected	—

No data.

Vendor Product Confidence Versions

Weblate

91%

Version	Status	Scheme	Platform
`[0,5.17)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Weblate to version 5.17 or later to apply the vendor fix.
If an upgrade is not immediately possible, block or deny HTTP access to the /api/memory/ path in the web or reverse‑proxy server to remove the vulnerable functionality.
Implement or enforce proper authorization controls on all API endpoints to prevent unauthenticated or insufficiently privileged users from accessing translation memory data.

Generated by OpenCVE AI on April 16, 2026 at 09:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mpf5-3vph-q75r	Weblate: Improper access control for the translation memory in API

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WeblateOrg/weblate/pull/18513
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r

History

Thu, 16 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Weblate Weblate weblate
Vendors & Products		Weblate Weblate weblate

Wed, 15 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
Title		Weblate has improper access control for the translation memory API
Weaknesses		CWE-862
References		https://github.com/WeblateOrg/weblate/pull/18513 https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Weblate Weblate

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-15T17:51:46.812Z

Updated: 2026-04-15T20:02:14.057Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33214

Vulnrichment

Updated: 2026-04-15T18:32:45.655Z

NVD

Status : Undergoing Analysis

Published: 2026-04-15T18:17:20.053

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-33214

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object