CVE-2025-49134 is a low-severity vulnerability affecting Weblate, a web-based localization tool widely used for collaborative translation and localization projects. The vulnerability arises from the exposure of private personal information, specifically the full IP address of users, in audit log notifications prior to version 5.12. These audit log notifications, which are intended to track user actions within the platform, included the full IP address of the acting user. When these notifications are sent via email, third-party servers such as SMTP relays or spam filters can intercept and access this IP address information. This exposure constitutes a privacy risk as IP addresses can be used to infer user location, track user activity, or potentially correlate identities across different services. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). The issue was patched in Weblate version 5.12, which removed or obfuscated the IP address information in audit log notifications. The CVSS 4.0 score is 2.1, reflecting a low severity due to the limited impact on confidentiality and no impact on integrity or availability. Exploitation does not require user interaction but does require high privileges (PR:H) within the system to trigger the audit log notifications containing the IP addresses. The attack vector is network-based (AV:N), but the complexity is high (AC:H), and no authentication or user interaction is needed beyond the privilege requirement. There are no known exploits in the wild at this time. Overall, this vulnerability primarily impacts user privacy rather than system security or functionality.

For European organizations using Weblate versions prior to 5.12, this vulnerability poses a privacy risk by potentially exposing user IP addresses through audit log notifications sent via email. This could lead to unauthorized actors, such as malicious SMTP relay operators or spam filter providers, gaining access to sensitive user metadata. The exposure of IP addresses can facilitate user tracking, profiling, or targeted attacks such as spear phishing or social engineering. While the vulnerability does not directly compromise system integrity or availability, it undermines compliance with European data protection regulations such as the GDPR, which mandates strict controls over personal data processing and transmission. Organizations with strict privacy requirements or those handling sensitive localization projects may face reputational damage or regulatory scrutiny if this vulnerability is exploited. However, the impact is limited by the requirement that the attacker must have high privileges within the Weblate system to generate the audit logs containing IP addresses, reducing the likelihood of widespread exploitation. Additionally, the vulnerability does not affect the core functionality or security of the Weblate platform beyond privacy concerns.

1. Upgrade Weblate installations to version 5.12 or later immediately to ensure the patch removing IP address exposure in audit log notifications is applied. 2. Review and restrict access controls within Weblate to minimize the number of users with high privileges capable of generating audit logs containing sensitive information. 3. Configure email systems to use end-to-end encryption (e.g., S/MIME or PGP) for audit log notifications to prevent interception by third-party SMTP relays or spam filters. 4. Implement strict monitoring and logging of privileged user actions within Weblate to detect any unauthorized attempts to generate or access audit logs. 5. Where possible, disable or customize audit log notifications to exclude sensitive information such as IP addresses if upgrading is delayed. 6. Conduct privacy impact assessments to ensure compliance with GDPR and other relevant data protection laws, documenting the mitigation steps taken. 7. Educate administrators and privileged users about the risks of exposing IP addresses and the importance of applying patches promptly.