Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33435

CVE-2026-33435: Weblate RCE Vulnerability

CVE-2026-33435 is a remote code execution flaw in Weblate caused by improper filtering of Git and Mercurial configuration files in project backups. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-33435 Overview

CVE-2026-33435 is a remote code execution vulnerability in Weblate, a web-based localization tool. In versions prior to 5.17, the project backup functionality fails to properly filter Git and Mercurial configuration files, which could allow attackers to achieve remote code execution under certain circumstances. This vulnerability is classified as CWE-23 (Relative Path Traversal).

Critical Impact

Attackers with project creation privileges can exploit unfiltered VCS configuration files in project backups to achieve remote code execution on the target system.

Affected Products

  • Weblate versions prior to 5.17

Discovery Timeline

  • April 15, 2026 - CVE-2026-33435 published to NVD
  • April 15, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33435

Vulnerability Analysis

This vulnerability stems from insufficient input validation in the project backup feature of Weblate. When creating project backups, the application fails to properly sanitize or exclude Git (.git/) and Mercurial (.hg/) configuration directories and their associated files. These version control system configuration files can contain executable hooks and configuration directives that are processed when the repository is accessed.

The attack requires elevated privileges (users who can create projects) and network access, but upon successful exploitation, can affect resources beyond the vulnerable component's security scope. This vulnerability enables an attacker to craft malicious VCS configuration files that execute arbitrary commands when the backup is restored or when the repository is subsequently accessed by the application.

Root Cause

The root cause of CVE-2026-33435 is a relative path traversal issue (CWE-23) in the backup filtering logic. The Weblate application did not implement proper filtering rules to exclude potentially dangerous version control system configuration files from project backups. Git and Mercurial both support hooks—executable scripts that run automatically on certain events—which can be abused to execute arbitrary code when repositories are cloned, checked out, or otherwise processed.

Attack Vector

The attack vector is network-based and requires the attacker to have high-level privileges (specifically, the ability to create projects within Weblate). An attacker could create a malicious project containing specially crafted Git or Mercurial configuration files with embedded executable hooks. When this project is backed up and subsequently restored, or when the VCS configuration is processed by the system, the malicious hooks execute with the privileges of the Weblate application.

The vulnerability mechanism involves placing malicious scripts in VCS hook directories (such as .git/hooks/ or .hg/) that get included in project backups due to insufficient file filtering. These hooks can be triggered during common Git or Mercurial operations, leading to command execution on the server.

Detection Methods for CVE-2026-33435

Indicators of Compromise

  • Unexpected files within .git/hooks/ or .hg/ directories in project backups
  • Unusual executable scripts or shell commands in version control configuration files
  • Unexpected process spawns or command executions from the Weblate application context
  • Suspicious backup restore operations followed by anomalous system activity

Detection Strategies

  • Monitor file system access patterns for reads/writes to VCS configuration directories within Weblate project paths
  • Implement integrity monitoring on Git and Mercurial hook directories within project repositories
  • Review project backups for the presence of .git/ or .hg/ directories containing executable hooks
  • Audit user activities related to project creation and backup operations

Monitoring Recommendations

  • Enable comprehensive logging for all project creation and backup/restore operations
  • Deploy file integrity monitoring on Weblate project directories, particularly VCS configuration paths
  • Configure alerts for unexpected child process creation from Weblate application processes
  • Monitor for network connections initiated by hook scripts or unexpected subprocess executions

How to Mitigate CVE-2026-33435

Immediate Actions Required

  • Upgrade Weblate to version 5.17 or later immediately
  • Review existing project backups for potentially malicious VCS configuration files
  • Restrict project creation privileges to trusted administrators only
  • Audit recent project backup and restore activities for signs of exploitation

Patch Information

The vulnerability has been addressed in Weblate version 5.17. The fix implements proper filtering of Git and Mercurial configuration files during the project backup process, preventing potentially malicious VCS hooks from being included in backups.

For technical details on the fix, refer to the GitHub Pull Request 18549 and the GitHub Security Advisory GHSA-558g-h753-6m33.

Workarounds

  • Restrict access to the project backup feature, limiting it to only highly trusted administrators
  • Implement additional access controls to prevent unauthorized users from creating projects
  • Manually review and sanitize project backups before restoration, removing any .git/ or .hg/ directories
  • Consider disabling project backup functionality entirely until the upgrade can be completed
bash
# Example: Restrict project backup access in Weblate
# Limit project creation to admin users only via Django admin settings
# Review and audit user permissions regularly
weblate createadmin --update
weblate check --deploy

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.