MEDIUM 4.3 PyPI
Weblate: Improper access control for the translation memory in API
GHSA-mpf5-3vph-q75r · CVE-2026-33214 · PYSEC-2026-152
Published · Modified
Description
Impact
The translation memory API exposed unintended endpoints, which in turn didn't do proper access control.
Patches
Workarounds
Blocking access to /api/memory/ in the HTTP server removes access to this feature.
References
This issue was reported by ggamno via HackerOne.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33214
- WEB https://github.com/WeblateOrg/weblate/pull/18513
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-152.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes