Primary

Context

Weblate AddonViewSet API Access Control Vulnerability

Vulnerability

Patched

A vulnerability in the Weblate AddonViewSet API prior to version 5.16.1 allowed authenticated users, and anonymous users if REQUIRE_LOGIN was not set, to access and retrieve all add-on configurations across projects and components. This was due to the API endpoint not properly scoping results by user permissions, exposing potentially sensitive information.

Impact

The vulnerability could lead to unauthorized access to add-on configurations via the Weblate API, which might contain sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/addons/' endpoint. If not logged in, ensure that the REQUIRE_LOGIN setting is disabled. The response will include all add-ons from all projects and components, regardless of the user's permissions.

Remediation

Weblate has released version 5.16.1, which addresses this vulnerability by implementing proper access control on the AddonViewSet API. Users can upgrade to this version to mitigate the issue.

Added: Feb 26, 2026, 10:31 PM

Updated: Feb 26, 2026, 10:31 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.7

remediation

7.7

relevance

3.2

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.7

remediation

7.7

relevance

3.2

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Weblate AddonViewSet API Access Control Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Weblate

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating