Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision

GHSA-ffgh-3jrf-8wvh · CVE-2026-40256

Published Apr 16, 2026 · Modified Apr 16, 2026

Description

Impact

Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as the repository path (for example, repo and repo_outside).

Patches

https://github.com/WeblateOrg/weblate/pull/18847

References

Thanks to m9nx4u for reporting this issue via HackerOne.

References

WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-ffgh-3jrf-8wvh
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40256
WEB https://github.com/WeblateOrg/weblate/pull/18847
WEB https://github.com/WeblateOrg/weblate/commit/e30dbcb33ae78e754ecef192d54f996b89cb4e15
PACKAGE https://github.com/WeblateOrg/weblate

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes