{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33212", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.313Z", "datePublished": "2026-04-15T17:48:17.842Z", "dateUpdated": "2026-04-15T18:09:01.991Z"}, "containers": {"cna": {"title": "Weblate: Improper access control for pending tasks in API", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4"}, {"name": "https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:48:17.842Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17."}], "source": {"advisory": "GHSA-vj45-x3pj-f4w4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:08:54.171887Z", "id": "CVE-2026-33212", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:09:01.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33212", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:08:54.171887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:08:58.343Z"}}], "cna": {"title": "Weblate: Improper access control for pending tasks in API", "source": {"advisory": "GHSA-vj45-x3pj-f4w4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70", "name": "https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:48:17.842Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33212", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:09:01.991Z", "dateReserved": "2026-03-17T23:23:58.313Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T17:48:17.842Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "matchCriteriaId": "64AD3B80-D39E-4EAF-9CF8-B4D3C8A6C58A", "versionEndExcluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17."}], "id": "CVE-2026-33212", "lastModified": "2026-04-21T14:11:21.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T18:17:19.897", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vj45-x3pj-f4w4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-16T02:30:36.500361+00:00", "value": {"mitigation_remediation": ["Apply the latest Weblate 5.17 or newer release to ensure proper access control is enforced in the tasks API.", "Configure API authentication and enforce role\u2011based access control so only users with the appropriate scope can query pending tasks.", "Enable or tighten rate limiting on the tasks API to slow down potential brute\u2011force attempts against UUIDs."], "summary": {"action": "Upgrade", "impact": "Unauthorized disclosure of pending task logs"}, "threat_synthesis": {"affected_systems": "The affected product is Weblate, developed by the WeblateOrg community. All releases prior to 5.17 are vulnerable. The vulnerability was fixed in Weblate\u00a05.17, which applies proper ACL checks against the owner and scope of pending tasks.", "description_and_impact": "Weblate\u2019s tasks API failed to enforce proper access control before version\u00a05.17, allowing users to retrieve logs for in\u2011progress operations that they were not permitted to see. The weakness is a classic improper access control flaw, CWE\u2011284. An attacker can exploit the flaw by guessing the random UUID of a pending task; however, the API rate limits reduce the likelihood of a successful brute\u2011force attempt, so the practical risk is low, but the confidentiality of work is still at risk.", "risk_and_exploitability": "The CVSS score of 3.1 reflects a low\u2011severity impact. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. Exploitation requires brute\u2011forcing a UUID through the public API, a costly activity mitigated by rate limiting, so the true exploitation probability is low. Nevertheless, unauthorized users could still view sensitive logs if they manage to guess a task identifier."}}}}, "created": "2026-04-16T02:45:06.073861+00:00", "updated": "2026-04-16T09:12:38.815725+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}