Weblate WLC Unscoped API Key Exposure Vulnerability

A vulnerability exists in the Weblate command-line client, WLC, prior to version 1.17.0, allowing unscoped API keys to be loaded from configuration files. This could lead to the accidental leakage of API keys to different servers. Although this practice was discouraged for years, the functionality remained in place, creating a potential security risk.

Impact

The vulnerability could result in unscoped API keys being leaked to different servers, allowing those servers to make unauthorized API requests on behalf of the user.

Reproduction

To reproduce this vulnerability, configure WLC to use an unscoped API key in the '[weblate]' section or a custom section of the configuration file. Then, run WLC commands that interact with the Weblate API, which may inadvertently expose the API key to a different server.

Remediation

Users should update to WLC version 1.17.0 or later, and remove any unscoped API keys from their configuration. Only URL-scoped keys should be used in the '[keys]' section.