CVE-2026-33214 - Vulnerability Details - OpenCVE

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Weblate	Weblate

No data.

No data.

References

Link	Providers
https://github.com/WeblateOrg/weblate/pull/18513
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r

History

Thu, 16 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Weblate Weblate weblate
Vendors & Products		Weblate Weblate weblate

Wed, 15 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature.
Title		Weblate has improper access control for the translation memory API
Weaknesses		CWE-862
References		https://github.com/WeblateOrg/weblate/pull/18513 https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-15T17:51:46.812Z

Updated: 2026-04-15T20:02:14.057Z

Reserved: 2026-03-17T23:23:58.314Z

Link: CVE-2026-33214

Vulnrichment

Updated: 2026-04-15T18:32:45.655Z

NVD

Status : Received

Published: 2026-04-15T18:17:20.053

Modified: 2026-04-15T18:17:20.053

Link: CVE-2026-33214

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-04-15T17:51:46.812Z", "dateUpdated": "2026-04-15T20:02:14.057Z"}, "containers": {"cna": {"title": "Weblate has improper access control for the translation memory API", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18513", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18513"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:51:46.812Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature."}], "source": {"advisory": "GHSA-mpf5-3vph-q75r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:31:35.155126Z", "id": "CVE-2026-33214", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:02:14.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:31:35.155126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:32:45.655Z"}}], "cna": {"title": "Weblate has improper access control for the translation memory API", "source": {"advisory": "GHSA-mpf5-3vph-q75r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18513", "name": "https://github.com/WeblateOrg/weblate/pull/18513", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:51:46.812Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33214", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:02:14.057Z", "dateReserved": "2026-03-17T23:23:58.314Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T17:51:46.812Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}