Description
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in LibreTranslate versions through 1.9.7 permits unauthenticated attackers to inject arbitrary values into the X‑Forwarded‑For header, enabling the spoofing of client IP addresses. This weakness disables the intended validation of forwarded headers (CWE‑348) and lets an attacker bypass IP‑based rate limiting and flood bans, potentially allowing unlimited abuse of the translation API.

Affected Systems

LibreTranslate up to and including version 1.9.7 are affected. The security bug was fixed in commit 397fd22; any release after that contains the patch.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the flaw can be exploited remotely via simple HTTP requests with a crafted X‑Forwarded‑For header and requires no authentication. Attackers with network access can easily bypass IP restrictions and abuse the service, creating a significant risk for systems exposed to public traffic.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreTranslate to a version that includes commit 397fd22 or later
  • If an immediate upgrade is not possible, configure the infrastructure to strip or ignore the X‑Forwarded‑For header before it reaches the application
  • Disable or restrict the use of forwarded headers in get_remote_address unless the request comes through a trusted proxy
  • Apply additional IP‑based rate limiting that relies on the connection’s source address instead of any forwarded header

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
Title LibreTranslate - IP Spoofing via X-Forwarded-For Header
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T18:37:50.397Z

Reserved: 2026-06-26T13:57:16.355Z

Link: CVE-2026-57942

cve-icon Vulnrichment

Updated: 2026-06-29T18:37:38.334Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:30:02Z

Weaknesses
  • CWE-348

    Use of Less Trusted Source