CVE-2025-67715 is an improper access control vulnerability (CWE-284) identified in Weblate, a popular web-based localization tool used for managing translation projects. In versions prior to 5.15, the Weblate API did not sufficiently restrict access to certain endpoints, allowing authenticated users with limited privileges to retrieve user notification settings and enumerate all users in the system. This exposure of user data occurs because the API endpoints lacked proper authorization checks, permitting unauthorized information disclosure. The vulnerability does not allow attackers to modify or delete data, nor does it affect system availability. Exploitation requires authentication but no user interaction, and the attack vector is network-based. The vulnerability was addressed in Weblate version 5.15 by implementing stricter access control mechanisms on the affected API endpoints. No known exploits are reported in the wild as of the publication date. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited confidentiality impact and the requirement for authenticated access. This vulnerability primarily risks privacy by exposing user notification preferences and user lists, which could be leveraged for further social engineering or reconnaissance.

For European organizations, the primary impact is the potential exposure of user-related information, including notification settings and user enumeration. This could lead to privacy violations, especially under GDPR regulations, as user data may be considered personal data. Organizations with large localization teams or those handling sensitive translation projects may face increased risk of targeted social engineering attacks or internal reconnaissance by malicious insiders. Although the vulnerability does not allow data modification or service disruption, the information disclosure could facilitate subsequent attacks. The impact is more pronounced in sectors with strict data privacy requirements, such as government, finance, and healthcare. Additionally, organizations relying heavily on Weblate for collaborative translation may experience reputational damage if user data is leaked. However, the lack of known exploits and the requirement for authenticated access reduce the immediate risk level.

The primary mitigation is to upgrade Weblate installations to version 5.15 or later, where the access control issues have been fixed. Organizations should audit their current Weblate versions and plan timely patching. Additionally, review and tighten API access controls and permissions to ensure that only authorized users can access sensitive endpoints. Implement strong authentication mechanisms and monitor API usage logs for unusual access patterns or attempts to enumerate users. Consider restricting API access to trusted networks or VPNs to reduce exposure. Educate users about phishing and social engineering risks that could arise from exposed user information. Finally, conduct regular security assessments of the localization infrastructure to detect and remediate similar issues proactively.