Weblate, Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR), Moderate Severity

Listen to this Post

The vulnerability stems from broken authorization mechanisms within Weblate’s REST API, specifically affecting endpoints that handle user and project data. Insecure Direct Object Reference (IDOR) occurs when the API fails to validate user permissions adequately, allowing unauthorized access to sensitive resources. Attackers can manipulate object identifiers in API requests to reference users or projects directly without proper checks. For instance, endpoints like `/api/users/` or `/api/users//notifications/` may lack access controls, enabling enumeration. By sending crafted HTTP GET requests with incremental IDs, an attacker can systematically retrieve all user notification settings or list every user. This is due to insufficient authorization validation during API call processing, where the system does not verify if the requester has viewing privileges. The vulnerability permits remote exploitation via network requests, requiring no authentication for affected endpoints. Consequently, attackers can gather personal information such as email addresses and project details, leading to privacy breaches. The issue exposes the entire user base and project structure, facilitating potential social engineering or further attacks. This systematic enumeration undermines confidentiality by disclosing data that should be restricted to authorized users only.
Platform: Weblate
Version: Not specified
Vulnerability: IDOR in API
Severity: Moderate
Date: Dec 15, 2025

Prediction: Patch available

What Undercode Say:

Analytics:

curl -X GET https://weblate.example.com/api/users/
curl -X GET https://weblate.example.com/api/users/1/notifications/
for id in {1..100}; do curl -s https://weblate.example.com/api/users/$id/; done

How Exploit:

Send API requests enumerating user IDs to retrieve notification settings and list all users via unauthorized access to endpoints.

Protection from this CVE

Update to patched Weblate version, implement strict authorization checks, and validate user permissions for all API object references.

Impact:

Information disclosure of user details and project enumeration, leading to privacy violations and increased attack surface.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top