MEDIUM 5.0 PyPI
Weblate: SSRF via Project-Level Machinery Configuration
GHSA-xrwr-fcw6-fmq8 · CVE-2026-34244
Published · Modified
Description
Impact
A user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read.
Patches
- https://github.com/WeblateOrg/weblate/pull/18684
- The solution then has been cleaned up in followup patches
Workarounds
Limiting available machinery services via WEBLATE_MACHINERY setting can avoid this.
References
Thanks to @DavidCarliez for disclosing this via GitHub private vulnerability reporting.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-xrwr-fcw6-fmq8
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34244
- WEB https://github.com/WeblateOrg/weblate/pull/18684
- WEB https://github.com/WeblateOrg/weblate/commit/e619e9090202e4886b844c110d39308e7e882c0e
- PACKAGE https://github.com/WeblateOrg/weblate
Ready to move
Start Securing
Free, no credit card | First findings in minutes