Description
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the user patching API endpoint of Weblate, a web‑based localization platform provided by WeblateOrg. Prior to version 5.17 the endpoint did not correctly enforce scope limits, enabling a user to modify data beyond the intended boundaries. This flaw allows an attacker with API access to elevate privileges and potentially alter translation content or user configurations that should be protected, compromising the integrity of the platform. The flaw is identified as CWE‑269.

Affected Systems

Weblate, a web‑based localization tool from WeblateOrg, is impacted. Any installation using Weblate prior to the 5.17 release is vulnerable, regardless of deployment environment. The issue was corrected in the 5.17 update.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting no publicly known exploits at this time. The likely attack vector is through authenticated use of the API; an attacker that can authenticate to the Weblate instance can craft requests to the patching endpoint to gain unauthorized modification rights. No other special conditions are noted in the description, so any authenticated user who has API access is at potential risk until the issue is patched or mitigated.

Generated by OpenCVE AI on April 16, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Weblate installation to version 5.17 or later to apply the vendor‑supplied fix.
  • If patching immediately is not feasible, restrict API access to only those users who absolutely require patching capabilities and remove or reduce permissions for anonymous or low‑privilege accounts.
  • Review and harden authentication and authorization checks around the user patching API endpoint to ensure that scope limits are enforced before applying changes.

Generated by OpenCVE AI on April 16, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3382-gw9x-477v Weblate: Privilege escalation in the user API endpoint
History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate weblate
Vendors & Products Weblate
Weblate weblate

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
Title Weblate: Privilege escalation in the user API endpoint
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Weblate Weblate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T18:38:53.920Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34393

cve-icon Vulnrichment

Updated: 2026-04-15T18:38:49.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T19:16:36.070

Modified: 2026-04-21T14:05:57.380

Link: CVE-2026-34393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:28Z

Weaknesses