Description
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.
Published: 2026-04-15
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery with partial response read
Action: Patch
AI Analysis

Impact

Weblate versions older than 5.17 allow users with project.edit permission to configure machine‑translation service URLs. During configuration validation Weblate performs an HTTP request to the configured URL and includes up to 200 characters of the response in an error message shown to the user. This technique lets an attacker conduct a Server‑Side Request Forgery that reveals partial internal network responses. The weakness is a Server‑Side Request Forgery with partial response read, classified as CWE‑918 and CWE‑200, leading to potential exposure of internal resources and data loss.

Affected Systems

The vulnerability affects the Weblate open‑source localization platform built by WeblateOrg. All deployments running any version prior to 5.17 are susceptible. Targeted versions are those before the 5.17 release, as the fix was introduced in that release.

Risk and Exploitability

The CVSS score of 5.0 indicates moderate severity. No EPSS value is available, so the current exploitation likelihood is uncertain, and the issue is not listed in CISA’s KEV catalog. The attacker must possess project.edit rights, which can be granted by the per‑project Administration role. If such a user can set arbitrary machinery URLs, they can initiate SSRF against internal hosts that are reachable from the Weblate server. Because the response is partially reflected, the impact is limited to exposure of displayed content rather than full network compromise, but still sufficient to leak sensitive or confidential data.

Generated by OpenCVE AI on April 15, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Weblate to version 5.17 or later.
  • If an upgrade is not possible, configure the WEBLATE_MACHINERY setting to restrict allowed machinery service URLs.
  • Restrict the project.edit permission to trusted personnel or remove the Administration role from untrusted users.

Generated by OpenCVE AI on April 15, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xrwr-fcw6-fmq8 Weblate: SSRF via Project-Level Machinery Configuration
History

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read. This issue has been fixed in version 5.17. If developers are unable to immediately upgrade, they can limit available machinery services via WEBLATE_MACHINERY setting.
Title Weblate: SSRF via Project-Level Machinery Configuration
Weaknesses CWE-200
CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T18:50:10.569Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34244

cve-icon Vulnrichment

Updated: 2026-04-15T18:50:05.146Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-15T19:16:35.903

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-34244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:29Z

Weaknesses