HIGH 8.8 PyPI
Weblate: Privilege escalation in the user API endpoint
GHSA-3382-gw9x-477v · CVE-2026-34393 · PYSEC-2026-155
Published · Modified
Description
Impact
The user patching API endpoint didn't properly limit the scope of edits.
Patches
References
Thanks to @tikket1 and @DavidCarliez for reporting this via GitHub. We received two individual reports for this.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3382-gw9x-477v
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34393
- WEB https://github.com/WeblateOrg/weblate/pull/18687
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-155.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes