CVE-2026-27457 Overview
CVE-2026-27457 is an authorization bypass vulnerability in Weblate, a popular web-based localization tool used for software translation management. The vulnerability exists in the REST API's AddonViewSet class located in weblate/api/views.py. The implementation uses queryset = Addon.objects.all() without overriding the get_queryset() method to properly scope results based on user permissions. This allows any authenticated user (or anonymous users if REQUIRE_LOGIN is not enabled) to enumerate and retrieve all addon configurations across all projects and components via the GET /api/addons/ and GET /api/addons/{id}/ API endpoints.
Critical Impact
Unauthorized users can access addon configuration data across all Weblate projects and components, potentially exposing sensitive integration details and internal project structures.
Affected Products
- Weblate versions prior to 5.16.1
Discovery Timeline
- 2026-02-26 - CVE-2026-27457 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27457
Vulnerability Analysis
The vulnerability stems from a missing access control implementation in the AddonViewSet class within Weblate's REST API. Django REST Framework ViewSets use the queryset attribute to determine which database objects can be accessed through the API endpoints. By setting queryset = Addon.objects.all() without implementing a get_queryset() method that filters results based on the authenticated user's permissions, the API exposes all addon records to any user who can access the endpoint.
This design flaw represents a classic Broken Access Control (CWE-200) vulnerability where the application fails to enforce object-level authorization. The exposure is particularly concerning because addon configurations may contain sensitive information about project integrations, third-party service connections, and internal workflow details.
Root Cause
The root cause is the absence of permission-based filtering in the AddonViewSet class. The original implementation directly used Addon.objects.all() as the queryset, which returns all addon objects from the database without considering user permissions. The proper implementation should override get_queryset() to filter addons based on the requesting user's project membership and management permissions.
Attack Vector
An attacker can exploit this vulnerability by making authenticated API requests to enumerate addon configurations. If the Weblate instance has REQUIRE_LOGIN disabled, even anonymous users can access this data. The attack requires only network access to the Weblate API endpoints.
# Vulnerable code in weblate/api/views.py (before fix)
class AddonViewSet(viewsets.ReadOnlyModelViewSet, UpdateModelMixin, DestroyModelMixin):
queryset = Addon.objects.all() # No permission filtering
serializer_class = AddonSerializer
Source: GitHub Weblate Commit Fix
# Fixed implementation with proper access control
def get_queryset(self):
if self.request.user.has_perm("management.addons"):
return Addon.objects.order_by("id")
return Addon.objects.filter(
Q(project__in=self.request.user.managed_projects)
| Q(component__project__in=self.request.user.managed_projects)
).order_by("id")
Source: GitHub Weblate Commit Fix
Detection Methods for CVE-2026-27457
Indicators of Compromise
- Unusual volume of API requests to /api/addons/ endpoints from non-administrative users
- API access logs showing addon enumeration requests from users without project membership
- Requests to /api/addons/{id}/ endpoints where the ID belongs to projects the user should not have access to
Detection Strategies
- Monitor API access logs for requests to /api/addons/ endpoints and correlate with user permission levels
- Implement rate limiting on API endpoints to detect enumeration attempts
- Enable verbose logging for Django REST Framework to capture unauthorized access attempts
- Review authentication logs for anonymous access to addon endpoints when REQUIRE_LOGIN should be enforced
Monitoring Recommendations
- Configure alerting for API requests to addon endpoints from users without appropriate project permissions
- Set up monitoring for bulk API requests that may indicate enumeration behavior
- Implement audit logging for all addon-related API operations
- Review access patterns periodically to identify potential data exfiltration attempts
How to Mitigate CVE-2026-27457
Immediate Actions Required
- Upgrade Weblate to version 5.16.1 or later immediately
- Enable REQUIRE_LOGIN in Weblate configuration if not already enabled to prevent anonymous access
- Review API access logs for any suspicious addon enumeration activity prior to patching
- Audit addon configurations for any sensitive information that may have been exposed
Patch Information
The vulnerability is fixed in Weblate version 5.16.1. The fix implements a get_queryset() method that properly filters addons based on user permissions, restricting access to addons within projects the user has management access to. Users with the management.addons permission retain access to all addons. The security patches are available in commits 3f58f9a and 7802c9b. For full details, see the GitHub Security Advisory and release notes for version 5.16.1.
Workarounds
- Enable REQUIRE_LOGIN = True in Weblate settings to prevent anonymous API access while awaiting the upgrade
- Implement reverse proxy rules to restrict access to /api/addons/ endpoints to trusted IP addresses
- Use network segmentation to limit API access to authorized internal networks only
- Consider temporarily disabling external API access until the patch is applied
# Configuration example - Enable REQUIRE_LOGIN in Weblate settings.py
REQUIRE_LOGIN = True
# Or via environment variable
export WEBLATE_REQUIRE_LOGIN=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
