Access Control Weakness in Weblate Localization Tool
CVE-2026-33212

3.1LOW

Key Information:

Vendor: Weblateorg
Status: Weblate
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-33212?

Weblate, a web-based localization tool, contains a vulnerability in its tasks API that fails to properly validate user access for pending tasks. This security weakness allows unauthorized users to potentially view logs of ongoing operations, which should be restricted according to the task's access scope. While the exploitation of this issue requires brute-forcing the random UUID of the task, making it unlikely under normal API rate limits, it still poses a risk. The problem has been addressed in version 5.17, emphasizing the importance of upgrading to protect sensitive information.

Affected Version(s)

weblate < 5.17

References

https://github.com/WeblateOrg/weblate/security/advisories...

x_refsource_CONFIRM

https://github.com/WeblateOrg/weblate/commit/4e06b12cd05d...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33212 Data

JSON

Weblateorg

What is CVE-2026-33212?

Affected Version(s)

References

CVSS V3.1

Timeline