Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.3

Weblate API Exposes All Addon Configurations to All Users

CVE-2026-27457 GHSA-wppc-7cq7-cgfv CVE-2026-27457
Summary

Weblate's API allows any authenticated user to view all add-on configurations across all projects and components. This could allow unauthorized access to sensitive information. Update to Weblate version 5.16.1 or later to fix the issue.

What to do
  • Update weblate to version 5.16.1.
Affected software
VendorProductAffected versionsFix available
weblate <= 5.16.1 5.16.1
weblate weblate <= 5.16.1
Original title
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Original description
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous users if `REQUIRE_LOGIN` is not set) to list and retrieve ALL addons across all projects and components via `GET /api/addons/` and `GET /api/addons/{id}/`. Version 5.16.1 fixes the issue.
nvd CVSS3.1 4.3
Vulnerability type
CWE-200 Information Exposure
CWE-862 Missing Authorization
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026