{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27457", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.100Z", "datePublished": "2026-02-26T21:56:03.220Z", "dateUpdated": "2026-03-03T01:39:37.771Z"}, "containers": {"cna": {"title": "Weblate: Missing access control for the AddonViewSet API exposes all addon configurations", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18107", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18107"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18164", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18164"}, {"name": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9"}, {"name": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f"}, {"name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T21:56:03.220Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue."}], "source": {"advisory": "GHSA-wppc-7cq7-cgfv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T01:39:25.302136Z", "id": "CVE-2026-27457", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:39:37.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T01:39:25.302136Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T01:39:33.624Z"}}], "cna": {"title": "Weblate: Missing access control for the AddonViewSet API exposes all addon configurations", "source": {"advisory": "GHSA-wppc-7cq7-cgfv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.16.1"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18107", "name": "https://github.com/WeblateOrg/weblate/pull/18107", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18164", "name": "https://github.com/WeblateOrg/weblate/pull/18164", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9", "name": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f", "name": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1", "name": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T21:56:03.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27457", "state": "PUBLISHED", "dateUpdated": "2026-03-03T01:39:37.771Z", "dateReserved": "2026-02-19T17:25:31.100Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T21:56:03.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFDB43E7-50FD-4502-A4AB-338C87AD180C", "versionEndExcluding": "5.16.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue."}, {"lang": "es", "value": "Weblate es una herramienta de localizaci\u00f3n basada en web. Antes de la versi\u00f3n 5.16.1, el `AddonViewSet` de la API REST (`weblate/api/views.py`, l\u00ednea 2831) utiliza `queryset = Addon.objects.all()` sin sobrescribir `get_queryset()` para limitar el alcance de los resultados por permisos de usuario. Esto permite a cualquier usuario autenticado (o usuarios an\u00f3nimos si `REQUIRE_LOGIN` no est\u00e1 configurado) listar y recuperar TODOS los complementos en todos los proyectos y componentes a trav\u00e9s de `GET /api/addons/` y `GET /api/addons/{id}/`. La versi\u00f3n 5.16.1 soluciona el problema."}], "id": "CVE-2026-27457", "lastModified": "2026-02-27T17:05:12.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T22:20:48.133", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/weblate/commit/3f58f9a4152bc0cbdd6eff5954f9c7bc4d9f0af9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/weblate/commit/7802c9b121eb407c48d4adddd4f2458fb3efef0f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/weblate/pull/18107"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/WeblateOrg/weblate/pull/18164"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.16.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-wppc-7cq7-cgfv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.16.1)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-17T14:14:36.638778+00:00", "value": {"mitigation_remediation": ["Upgrade Weblate to version 5.16.1 or later, which limits the AddonViewSet queryset to enforce user permissions.", "Modify server configuration to require authentication (set REQUIRE_LOGIN to true) so that only logged\u2011in users can access the API, thus preventing anonymous disclosure.", "If an upgrade is not immediately possible, restrict access to the /api/addons/ endpoint using network firewall rules or reverse\u2011proxy authentication so that only trusted network segments or approved IP addresses can reach that endpoint."], "summary": {"action": "Patch", "impact": "Unauthorized disclosure of all addon configurations"}, "threat_synthesis": {"affected_systems": "Weblate installations running any version prior to 5.16.1 are affected. This includes the default release series Weblate 5.15 and earlier, which developers and site administrators might still be using. Updating to Weblate 5.16.1 or later eliminates the problem, as the API is then correctly scoped to the current user\u2019s permissions.", "description_and_impact": "The vulnerability in Weblate\u2019s REST API allows a user to retrieve every addon configuration in the system, regardless of their project membership or permissions. Because the AddonViewSet uses an unfiltered queryset, any authenticated user can issue GET requests to /api/addons/ and /api/addons/{id}/ to obtain confidential addon data. The exposure threatens privacy and could serve as groundwork for further exploitation, as addon configurations may reference sensitive environment variables or connection strings. This represents a medium severity information\u2011disclosure flaw (CWE\u2011200 and CWE\u2011862).", "risk_and_exploitability": "The CVSS v3 score of 4.3 indicates moderate risk. EPSS is less than 1%, meaning active exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The attack path is straightforward: an attacker merely needs to authenticate to the application or rely on a misconfigured REQUIRE_LOGIN setting to obtain any user credentials, then perform simple GET requests to the /api/addons/ endpoint. Although the low exploitation probability reduces urgency, the potential for widespread data leakage warrants prompt remediation."}}}}, "created": "2026-02-27T09:04:02.121732+00:00", "updated": "2026-04-17T14:15:21.828456+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}