CVE-2026-33212 Overview
CVE-2026-33212 is an authorization bypass vulnerability in Weblate, a web-based localization tool. In versions prior to 5.17, the tasks API failed to properly verify user access for pending tasks. This improper access control could expose logs of in-progress operations to users who lack access to the given scope, resulting in potential information disclosure.
Critical Impact
Unauthorized users may access sensitive operation logs from pending tasks they should not have visibility into, potentially exposing translation project details and workflow information.
Affected Products
- Weblate versions prior to 5.17
Discovery Timeline
- April 15, 2026 - CVE CVE-2026-33212 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33212
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control). The core issue lies in the tasks API endpoint failing to implement proper authorization checks when users query pending task information. While the vulnerability requires network access and authenticated users, the exploitation is constrained by the need to brute-force random UUIDs identifying tasks. The default API rate limits in Weblate significantly reduce the practical exploitability of this vulnerability.
The information exposure is limited to operational logs of in-progress tasks, which could reveal details about translation projects, components, or other localization operations that users should not have access to within their scope.
Root Cause
The root cause is a missing authorization verification step in the tasks API. When handling requests for pending task status, the API returned task progress and metadata without first confirming that the requesting user had appropriate permissions to access the scope associated with that task. This represents a classic broken access control pattern where authentication is present but authorization checks are incomplete.
Attack Vector
The attack requires an authenticated user to make API requests targeting the tasks endpoint. The attacker would need to:
- Obtain valid authentication credentials for Weblate
- Enumerate or brute-force task UUIDs (random identifiers)
- Query the tasks API for pending task information
- Extract operation logs from tasks outside their authorized scope
The random UUID requirement significantly increases attack complexity, as the attacker cannot easily predict valid task identifiers without extensive brute-forcing attempts.
The security patch modified weblate/api/views.py to import and utilize proper task metadata verification:
from weblate.trans.tasks import category_removal, component_removal, project_removal
from weblate.trans.views.files import download_multi
from weblate.trans.views.reports import generate_credits
-from weblate.utils.celery import get_task_progress
+from weblate.utils.celery import get_task_metadata, get_task_progress
from weblate.utils.docs import get_doc_url
from weblate.utils.errors import report_error
from weblate.utils.lock import WeblateLockTimeoutError
Source: GitHub Commit Update
Detection Methods for CVE-2026-33212
Indicators of Compromise
- Unusual volume of API requests to the tasks endpoint from a single authenticated user
- Sequential or pattern-based task UUID queries indicating brute-force attempts
- API access logs showing task queries for projects or scopes outside user permissions
- Rate limit threshold alerts on the tasks API endpoint
Detection Strategies
- Monitor API access logs for anomalous patterns in task endpoint requests
- Implement alerting on rate limit triggers for the tasks API
- Review authentication logs for users making excessive task status queries
- Correlate task access attempts with user permission scopes to identify unauthorized access patterns
Monitoring Recommendations
- Enable detailed logging on the Weblate tasks API endpoint
- Configure alerts for API rate limit violations
- Implement user behavior analytics to detect brute-force enumeration attempts
- Regularly audit access logs for task queries that cross scope boundaries
How to Mitigate CVE-2026-33212
Immediate Actions Required
- Upgrade Weblate to version 5.17 or later immediately
- Review API access logs for any suspicious task endpoint activity
- Verify that default API rate limits are properly configured and active
- Audit user permissions to ensure proper scope restrictions are in place
Patch Information
The vulnerability has been addressed in Weblate version 5.17. The fix improves API access control for pending tasks by implementing proper authorization verification before returning task information. For detailed information about the patch, refer to the GitHub Security Advisory GHSA-vj45-x3pj-f4w4 and the corresponding commit.
Workarounds
- Ensure API rate limiting is enabled and configured to prevent brute-force attempts
- Restrict API access to trusted networks where possible
- Implement additional network-level controls to limit API endpoint exposure
- Monitor and alert on excessive API requests targeting the tasks endpoint
# Verify Weblate version after upgrade
weblate --version
# Expected output should show 5.17 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
