CVE-2026-33435 Overview
CVE-2026-33435 is a remote code execution vulnerability in Weblate, a web-based localization tool. In versions prior to 5.17, the project backup functionality fails to properly filter Git and Mercurial configuration files, which could allow attackers to achieve remote code execution under certain circumstances. This vulnerability is classified as CWE-23 (Relative Path Traversal).
Critical Impact
Attackers with project creation privileges can exploit unfiltered VCS configuration files in project backups to achieve remote code execution on the target system.
Affected Products
- Weblate versions prior to 5.17
Discovery Timeline
- April 15, 2026 - CVE-2026-33435 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33435
Vulnerability Analysis
This vulnerability stems from insufficient input validation in the project backup feature of Weblate. When creating project backups, the application fails to properly sanitize or exclude Git (.git/) and Mercurial (.hg/) configuration directories and their associated files. These version control system configuration files can contain executable hooks and configuration directives that are processed when the repository is accessed.
The attack requires elevated privileges (users who can create projects) and network access, but upon successful exploitation, can affect resources beyond the vulnerable component's security scope. This vulnerability enables an attacker to craft malicious VCS configuration files that execute arbitrary commands when the backup is restored or when the repository is subsequently accessed by the application.
Root Cause
The root cause of CVE-2026-33435 is a relative path traversal issue (CWE-23) in the backup filtering logic. The Weblate application did not implement proper filtering rules to exclude potentially dangerous version control system configuration files from project backups. Git and Mercurial both support hooks—executable scripts that run automatically on certain events—which can be abused to execute arbitrary code when repositories are cloned, checked out, or otherwise processed.
Attack Vector
The attack vector is network-based and requires the attacker to have high-level privileges (specifically, the ability to create projects within Weblate). An attacker could create a malicious project containing specially crafted Git or Mercurial configuration files with embedded executable hooks. When this project is backed up and subsequently restored, or when the VCS configuration is processed by the system, the malicious hooks execute with the privileges of the Weblate application.
The vulnerability mechanism involves placing malicious scripts in VCS hook directories (such as .git/hooks/ or .hg/) that get included in project backups due to insufficient file filtering. These hooks can be triggered during common Git or Mercurial operations, leading to command execution on the server.
Detection Methods for CVE-2026-33435
Indicators of Compromise
- Unexpected files within .git/hooks/ or .hg/ directories in project backups
- Unusual executable scripts or shell commands in version control configuration files
- Unexpected process spawns or command executions from the Weblate application context
- Suspicious backup restore operations followed by anomalous system activity
Detection Strategies
- Monitor file system access patterns for reads/writes to VCS configuration directories within Weblate project paths
- Implement integrity monitoring on Git and Mercurial hook directories within project repositories
- Review project backups for the presence of .git/ or .hg/ directories containing executable hooks
- Audit user activities related to project creation and backup operations
Monitoring Recommendations
- Enable comprehensive logging for all project creation and backup/restore operations
- Deploy file integrity monitoring on Weblate project directories, particularly VCS configuration paths
- Configure alerts for unexpected child process creation from Weblate application processes
- Monitor for network connections initiated by hook scripts or unexpected subprocess executions
How to Mitigate CVE-2026-33435
Immediate Actions Required
- Upgrade Weblate to version 5.17 or later immediately
- Review existing project backups for potentially malicious VCS configuration files
- Restrict project creation privileges to trusted administrators only
- Audit recent project backup and restore activities for signs of exploitation
Patch Information
The vulnerability has been addressed in Weblate version 5.17. The fix implements proper filtering of Git and Mercurial configuration files during the project backup process, preventing potentially malicious VCS hooks from being included in backups.
For technical details on the fix, refer to the GitHub Pull Request 18549 and the GitHub Security Advisory GHSA-558g-h753-6m33.
Workarounds
- Restrict access to the project backup feature, limiting it to only highly trusted administrators
- Implement additional access controls to prevent unauthorized users from creating projects
- Manually review and sanitize project backups before restoration, removing any .git/ or .hg/ directories
- Consider disabling project backup functionality entirely until the upgrade can be completed
# Example: Restrict project backup access in Weblate
# Limit project creation to admin users only via Django admin settings
# Review and audit user permissions regularly
weblate createadmin --update
weblate check --deploy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
