Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Weblate User Patching API Allows Unauthorized Edits
CVE-2026-34393
GHSA-3382-gw9x-477v
Summary
Weblate's user patching API in older versions allowed anyone to make changes to translations without proper authorization. This could lead to unauthorized edits being made to translations. Update to Weblate version 5.17 or later to fix this issue.
What to do
- Update weblate to version 5.17.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | weblate |
< 5.17 Fix: upgrade to 5.17
|
Original title
Weblate: Privilege escalation in the user API endpoint
Original description
### Impact
The user patching API endpoint didn't properly limit the scope of edits.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18687
### References
Thanks to @tikket1 and @DavidCarliez for reporting this via GitHub. We received two individual reports for this.
The user patching API endpoint didn't properly limit the scope of edits.
### Patches
* https://github.com/WeblateOrg/weblate/pull/18687
### References
Thanks to @tikket1 and @DavidCarliez for reporting this via GitHub. We received two individual reports for this.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 15 Apr 2026