CVE-2026-33212 LOW

CVE-2026-33212: Weblate: Improper access control for pending tasks in API

Vendor Weblateorg
Product weblate
Weakness CWE-284
Published April 15, 2026
Last update April 15, 2026

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.

Key dates

02Disclosure timeline

April 15, 2026 CVE published
April 15, 2026 Record updated