CVE-2026-34244 Overview
CVE-2026-34244 is a Server-Side Request Forgery (SSRF) vulnerability affecting Weblate, a web-based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message, constituting an SSRF with partial response read capability.
Critical Impact
Authenticated attackers can probe internal network services, potentially exposing sensitive information from internal endpoints including cloud metadata services, internal APIs, and configuration endpoints.
Affected Products
- Weblate versions prior to 5.17
Discovery Timeline
- April 15, 2026 - CVE-2026-34244 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34244
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in Weblate's machine translation service configuration functionality. When users with administrative privileges for a project configure custom machine translation endpoints, the application validates these URLs by making HTTP requests to them. The application then reflects portions of the response back to the user in error messages, creating an information disclosure channel.
The attack requires authenticated access with project.edit permissions, limiting the attack surface to users who have already been granted administrative roles within specific projects. However, in multi-tenant environments or instances with relaxed permission models, this could be exploited by malicious insiders or compromised accounts.
Root Cause
The root cause lies in insufficient validation and restriction of user-supplied URLs for machine translation service endpoints. The application fails to properly sanitize or restrict the destination of outbound HTTP requests, allowing attackers to specify arbitrary internal network addresses. Additionally, the error handling mechanism inadvertently exposes response content from these internal requests back to the user.
Attack Vector
The attack is network-based and requires low privileges (authenticated user with project administration role). An attacker would navigate to the machine translation service configuration interface and supply a malicious URL targeting internal resources such as:
- Cloud provider metadata endpoints (e.g., http://169.254.169.254/)
- Internal web services and APIs
- Local network resources and administrative interfaces
- Configuration management endpoints
When Weblate attempts to validate the supplied URL, it makes an HTTP request to the attacker-controlled destination. Up to 200 characters of the response body are reflected back in an error message, allowing the attacker to exfiltrate limited amounts of data from internal services with each request.
The vulnerability mechanism involves the machine translation configuration validation process. When a user supplies a custom service URL, Weblate's backend makes an HTTP request to validate the endpoint. The response handling does not properly sanitize or restrict what information is returned to the user, enabling partial response exfiltration. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34244
Indicators of Compromise
- Unusual outbound HTTP requests from the Weblate server to internal IP ranges or cloud metadata services
- Multiple failed machine translation configuration attempts from a single user
- Configuration changes targeting non-standard or internal URLs for translation services
- Error logs containing responses from internal services reflected in validation messages
Detection Strategies
- Monitor Weblate application logs for machine translation configuration changes targeting internal network addresses
- Implement network-level monitoring to detect requests from the Weblate server to internal metadata endpoints (e.g., 169.254.169.254)
- Configure alerting for repeated validation failures in machine translation service configurations
- Review audit logs for users with project.edit permissions making unusual configuration changes
Monitoring Recommendations
- Enable verbose logging for machine translation service configuration changes
- Deploy network segmentation and monitoring to track outbound requests from the Weblate application server
- Implement rate limiting on configuration validation endpoints to slow reconnaissance attempts
- Establish baseline network traffic patterns to identify anomalous internal scanning activity
How to Mitigate CVE-2026-34244
Immediate Actions Required
- Upgrade Weblate to version 5.17 or later immediately
- Review and audit users with project.edit permissions, removing unnecessary administrative access
- Implement network segmentation to restrict the Weblate server's access to sensitive internal resources
- Monitor for suspicious machine translation configuration attempts in application logs
Patch Information
The vulnerability has been fixed in Weblate version 5.17. The patch is available through the GitHub commit e619e9090202e4886b844c110d39308e7e882c0e. Organizations should prioritize upgrading to the patched version to eliminate this SSRF vulnerability. Additional details are available in the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, limit available machinery services using the WEBLATE_MACHINERY configuration setting
- Restrict network access from the Weblate server to internal resources using firewall rules
- Implement egress filtering to block requests to cloud metadata endpoints and internal network ranges
- Review and restrict project.edit permissions to only trusted administrators
# Configuration example - Limit machinery services in Weblate settings
# Add to your Weblate configuration file (settings.py)
WEBLATE_MACHINERY = [
"weblate.machinery.deepl.DeepLTranslation",
"weblate.machinery.google.GoogleTranslation",
# Only include trusted, pre-approved translation services
]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
