CVE-2026-22251 MEDIUM

CVE-2026-22251: wlc may leak API keys due to an insecure API key configuration

Vendor Weblateorg

Product wlc

Weakness CWE-200 · Info exposure

Published January 12, 2026

Last update January 12, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Key dates

02Disclosure timeline

January 12, 2026 CVE published

January 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22251

Related vulnerabilities

04Related CVE

CVE-2023-31280 Exposure of Sensitive Information to an Unauthorized Actor CVE-2025-13526 OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure CVE-2022-29232 Exposure of messages in BigBlueButton public chats CVE-2024-7554 Exposure of Sensitive Information to an Unauthorized Actor in GitLab CVE-2023-44150 WordPress ProfilePress Plugin <= 4.13.2 is vulnerable to Sensitive Data Exposure