Listen to this Post
The vulnerability stems from broken authorization mechanisms within Weblate’s REST API, specifically affecting endpoints that handle user and project data. Insecure Direct Object Reference (IDOR) occurs when the API fails to validate user permissions adequately, allowing unauthorized access to sensitive resources. Attackers can manipulate object identifiers in API requests to reference users or projects directly without proper checks. For instance, endpoints like `/api/users/` or `/api/users/
Platform: Weblate
Version: Not specified
Vulnerability: IDOR in API
Severity: Moderate
Date: Dec 15, 2025
Prediction: Patch available
What Undercode Say:
Analytics:
curl -X GET https://weblate.example.com/api/users/
curl -X GET https://weblate.example.com/api/users/1/notifications/
for id in {1..100}; do curl -s https://weblate.example.com/api/users/$id/; done
How Exploit:
Send API requests enumerating user IDs to retrieve notification settings and list all users via unauthorized access to endpoints.
Protection from this CVE
Update to patched Weblate version, implement strict authorization checks, and validate user permissions for all API object references.
Impact:
Information disclosure of user details and project enumeration, leading to privacy violations and increased attack surface.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

