IP Spoofing Vulnerability in LibreTranslate Affects Authentication Security
CVE-2026-57942

6.9MEDIUM

Key Information:

Vendor

Libretranslate

Status
Libretranslate
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57942?

LibreTranslate versions up to 1.9.7 expose users to an IP spoofing vulnerability due to inadequate checks on the X-Forwarded-For HTTP header in the get_remote_address() function. This flaw allows unauthenticated attackers to inject arbitrary values, effectively forging client IP addresses. By exploiting this weakness, attackers can circumvent rate limits and flood bans, leading to potential unlimited API abuse. A patch has been introduced in later versions to address this security issue.

Affected Version(s)

LibreTranslate 0 <= 1.9.7

LibreTranslate 397fd224080515d4001a1bc60c8fed53e3c56b6f

References

https://github.com/LibreTranslate/LibreTranslate/issues/986
technical-description
https://github.com/LibreTranslate/LibreTranslate/pull/987
issue-tracking
https://github.com/LibreTranslate/LibreTranslate/commit/3...
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.