Unscoped API Key Vulnerability in Weblate's Command-Line Client
CVE-2026-22251

5.3MEDIUM

Key Information:

Vendor

Weblateorg

Status
Wlc
Vendor
CVE Published:
12 January 2026

What is CVE-2026-22251?

The wlc command-line client for Weblate has a vulnerability allowing unscoped API keys to be provided in its settings. Although this practice was discouraged, it remained in the codebase until version 1.17.0, potentially leading to sensitive API keys being leaked across various servers. Users are encouraged to upgrade to the latest version to mitigate the risk associated with this vulnerability.

Affected Version(s)

wlc < 1.17.0

References

https://github.com/WeblateOrg/wlc/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/WeblateOrg/wlc/pull/1098
x_refsource_MISC
https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.