CVE-2026-39845 Overview
CVE-2026-39845 is a Server-Side Request Forgery (SSRF) vulnerability in Weblate, a popular web-based localization tool used for managing translations in software projects. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections, allowing authenticated users with high privileges to potentially make unauthorized requests to internal resources.
Critical Impact
Authenticated attackers with administrative privileges can exploit the webhook add-on to bypass SSRF protections, potentially accessing internal network resources and sensitive information that should not be externally accessible.
Affected Products
- Weblate versions prior to 5.17
Discovery Timeline
- April 15, 2026 - CVE CVE-2026-39845 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39845
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). SSRF vulnerabilities occur when an application can be manipulated to make HTTP requests to arbitrary destinations, potentially including internal network resources that are not meant to be accessible from the outside.
In the context of Weblate, the webhook add-on functionality allows users to configure webhooks that send notifications to external URLs when certain translation events occur. The vulnerability stems from the webhook add-on failing to leverage the existing SSRF protection mechanisms that were already implemented elsewhere in the Weblate codebase.
The network-based attack vector requires high privileges to exploit, meaning an attacker would need administrative access to the Weblate instance. While this limits the attack surface, compromised admin accounts or malicious insiders could still leverage this vulnerability to probe internal infrastructure.
Root Cause
The root cause of this vulnerability is the inconsistent application of security controls within the Weblate codebase. While SSRF protections existed in the application, the webhook add-on component was not properly integrated with these existing safeguards. This architectural oversight allowed webhook requests to bypass URL validation and filtering mechanisms that would normally prevent requests to internal or restricted network addresses.
Attack Vector
The attack vector involves an authenticated user with high-level privileges (such as an administrator) configuring a malicious webhook URL targeting internal network resources. When the webhook is triggered by a translation event, Weblate's server makes a request to the attacker-specified URL. Without proper SSRF protections, this could allow:
- Scanning internal network services and ports
- Accessing cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254)
- Reaching internal APIs and services not exposed to the internet
- Potentially exfiltrating sensitive configuration data
The vulnerability requires network access and high privileges but no user interaction, with the potential for changed scope affecting resources beyond the vulnerable component's security authority.
Detection Methods for CVE-2026-39845
Indicators of Compromise
- Webhook configurations pointing to internal IP addresses or localhost (127.0.0.1, 10.x.x.x, 192.168.x.x, 172.16-31.x.x)
- Unusual outbound requests from the Weblate server to internal network segments
- Webhook URLs targeting cloud metadata endpoints or internal service discovery endpoints
- Audit log entries showing webhook creation or modification by unexpected users
Detection Strategies
- Monitor outbound network traffic from Weblate servers for connections to internal IP ranges
- Review webhook configurations in Weblate admin panel for suspicious URLs
- Implement network-level egress filtering to detect and alert on internal network access attempts
- Enable detailed logging for webhook operations to track request destinations
Monitoring Recommendations
- Set up alerts for webhook configuration changes in Weblate audit logs
- Deploy network monitoring to identify SSRF-pattern traffic (requests to internal IPs, metadata endpoints)
- Regularly audit administrative user accounts for unauthorized access
- Monitor for failed connection attempts to internal services from the Weblate application server
How to Mitigate CVE-2026-39845
Immediate Actions Required
- Upgrade Weblate to version 5.17 or later to receive the security fix
- Audit all existing webhook configurations for suspicious or internal URLs
- Review administrative account access and ensure only authorized users have webhook management permissions
- If unable to upgrade immediately, disable the webhook add-on as a temporary workaround
Patch Information
The vulnerability has been addressed in Weblate version 5.17. The fix ensures that the webhook add-on properly utilizes the existing SSRF protection mechanisms within the application. Organizations should upgrade to this version or later as soon as possible.
For detailed information about the fix, refer to the GitHub Pull Request and the GitHub Security Advisory.
Workarounds
- Disable the webhook add-on in Weblate settings if the functionality is not required
- Implement network-level egress filtering to block requests from the Weblate server to internal network ranges
- Restrict administrative access to trusted users only and enable multi-factor authentication
- Deploy a web application firewall (WAF) or proxy to monitor and filter outbound requests from the application server
# Example: Network egress rules to mitigate SSRF (iptables)
# Block outbound connections to internal networks from Weblate server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
