Weblate, Private Translation Enumeration via Screenshot API, Moderate

By /

Listen to this Post

How the CVE Works

The vulnerability resides in Weblate’s REST API endpoints for screenshots, tasks, and component links. Prior to version 5.17, these endpoints lacked proper project‑scoped permission checks. An authenticated attacker (or, in some configurations, an unauthenticated user) can send carefully crafted API requests that enumerate translation units, tasks, or component links from projects they are not authorized to access.
Specifically, the API did not validate whether the user had the required permissions (e.g., translation.view) for the target project. By iterating over translation IDs or project slugs, the attacker can list all translations in a private project, exposing proprietary terminology, unreleased software strings, and other sensitive information.
The flaw is rooted in the API’s failure to enforce the same access controls that apply to the web interface. The ScreenshotViewSet, TaskViewSet, and `ComponentLinkViewSet` did not inherit project‑based permission filters, allowing direct enumeration of translation resources.

An attacker can exploit this by:

  1. Obtaining any valid API token (or session cookie).
  2. Sending a GET request to `/api/screenshots/?project=` without being a member of that project.
  3. Receiving a JSON response containing all screenshots and their associated translation strings for the private project.
    Similarly, the tasks and component links endpoints can be queried to list pending operations and linked documentation, further leaking project metadata.
    The issue was fixed in Weblate 5.17 by adding explicit permission checks (user.has_perm('translation.view', translation)) to all affected endpoints, ensuring that users can only access translations for projects they are explicitly granted access to.

DailyCVE Form

Platform: Weblate
Version: prior 5.17
Vulnerability: improper access control
Severity: moderate
date: 2026-04-30

Prediction: already patched in 5.17

What Undercode Say:

Check if a Weblate instance is vulnerable (requires valid API token)
curl -X GET "https://weblate.example.com/api/screenshots/?project=example-private" \
-H "Authorization: Token <your_api_key>" \
-H "Content-Type: application/json"
If the response returns screenshot data for a private project, the system is vulnerable.

Enumerate all tasks in a hidden component
curl -X GET "https://weblate.example.com/api/tasks/?component=hidden-component" \
-H "Authorization: Token <your_api_key>"

List component links of an inaccessible project
curl -X GET "https://weblate.example.com/api/component-links/?project=private-project" \
-H "Authorization: Token <your_api_key>"

Exploit:

  1. Identify a target Weblate instance (version < 5.17).
  2. Obtain any authenticated API token (e.g., from a low‑privilege user).
  3. Use the token to call /api/screenshots/, /api/tasks/, or `/api/component‑links/` with parameters pointing to a private project.
  4. Parse the JSON response to collect translation strings, screenshot metadata, pending operations, and linked resources.
  5. Use the harvested data to gain insight into the project’s development, internal terminology, or unreleased features.

Protection from this CVE:

  • Upgrade to Weblate 5.17 or later immediately.
  • If upgrading is not possible, block API access to the vulnerable endpoints using a reverse proxy or WAF rule.
  • Restrict API token generation to only highly trusted users.
  • Monitor API logs for suspicious `GET` requests to /api/screenshots/, /api/tasks/, and `/api/component‑links/` that appear to enumerate projects.
  • Review project permissions and ensure the principle of least privilege is applied to all users.

Impact:

  • Confidentiality breach – Private translation strings, including proprietary terminology, unreleased software text, and sensitive product names, are exposed.
  • Information disclosure – Attackers can enumerate project structure, pending tasks, and associated documentation, enabling further targeted attacks.
  • Compliance violation – Exposure of unpublished material may violate NDAs or internal security policies.
  • Reputational damage – Leak of pre‑release translations can harm trust in the organization’s security posture.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top