Weblate, Path Traversal, CVE-2026-40256 (Medium)

Listen to this Post

How the CVE works:

Weblate uses string prefix checks (startswith) on resolved absolute paths to enforce repository boundaries. This check is not path‑segment aware, allowing an attacker to bypass it via a symlink or junction that points to a path sharing the same string prefix as the repository root. For example, if the repository root is /repo, a symlink pointing to `/repo_outside` resolves to a path that starts with `/repo` – the prefix check passes, even though the symlink points outside the repository. After the check, Weblate operates on the symlink target, which lies outside the intended boundary. This flaw exists in multiple code paths, including file download and component creation functions. An attacker with write access to a repository can create a symlink to a sensitive system file (e.g., /etc/passwd) and trick Weblate into reading or serving that file. The vulnerability affects Weblate versions prior to 5.17. The fix replaces the prefix check with path‑segment‑aware logic using `os.path.realpath` and os.path.commonpath.
Platform: Weblate
Version: before 5.17
Vulnerability : Path traversal
Severity: Medium
date: 2026-04-15

Prediction: Patch 2026-04-16

Analytics under What Undercode Say:

Check Weblate version
weblate --version
Create a symlink to a sensitive file
ln -s /etc/passwd /path/to/repo/symlink
Attempt to read the symlink via Weblate's download endpoint
curl "http://localhost/weblate/download/repo/symlink"
Python snippet showing the flawed prefix check
import os
repo_root = "/repo"
attacker_path = "/repo_outside/file.txt"
if os.path.realpath(attacker_path).startswith(repo_root):
Bypassed! attacker_path resolves outside the repository
pass

Exploit:

Create a symlink inside a Weblate‑managed repository that points to a sensitive file outside the repository (e.g., /etc/passwd). Trigger a component operation that uses the vulnerable prefix check, such as a ZIP download or file read. The resolved symlink path will be accepted, and Weblate will read or serve the external file.

Protection from this CVE:

Upgrade Weblate to version 5.17 or later. Apply the patch from commit e30dbcb33ae78e754ecef192d54f996b89cb4e15. If upgrading is not immediately possible, restrict write access to repositories to trusted users only and disable symlink creation in untrusted contexts.

Impact:

Information disclosure and arbitrary file read outside the repository. Attackers can read sensitive system files, configuration data, SSH keys, or other confidential information stored on the server.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top