CVE-2025-67715 is an improper access control vulnerability classified under CWE-284 and CWE-285 affecting Weblate, a web-based localization platform. In versions prior to 5.15, the API endpoints responsible for user notification settings and user enumeration did not enforce sufficient access controls, allowing authenticated users with limited privileges to access sensitive information about other users. Specifically, an attacker with valid credentials but without administrative privileges could retrieve notification preferences of other users and obtain a list of all users registered in the system. This information disclosure could facilitate targeted phishing or social engineering attacks and potentially aid in further reconnaissance. The vulnerability does not allow modification of data or disruption of service, limiting its impact to confidentiality. The flaw was addressed in Weblate 5.15 by implementing stricter access control checks on the affected API endpoints. The CVSS v3.1 base score is 4.3, reflecting the network attack vector, low complexity, required privileges, and limited confidentiality impact. No user interaction is needed, and the scope is unchanged as the vulnerability affects only the Weblate instance itself. No known exploits have been reported in the wild as of the publication date.

For European organizations using Weblate versions prior to 5.15, this vulnerability poses a moderate risk to user privacy and confidentiality. Attackers with valid user credentials could enumerate all users and access notification settings, potentially exposing email addresses and notification preferences. This information could be leveraged for targeted phishing campaigns or social engineering attacks, increasing the risk of credential compromise or lateral movement within the organization. While the vulnerability does not allow data modification or service disruption, the leakage of user information can undermine trust and violate data protection regulations such as GDPR. Organizations handling sensitive localization projects or working with confidential content may face reputational damage if user data is exposed. The impact is more pronounced in environments where user credentials are shared or weak, or where attackers can gain initial access through other means. Since Weblate is often used in software development and localization workflows, compromise could indirectly affect project confidentiality and integrity if attackers escalate privileges after reconnaissance.

The primary mitigation is to upgrade Weblate installations to version 5.15 or later, where the access control issues have been fixed. Organizations should audit their Weblate instances to identify affected versions and plan timely patching. In addition, implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Limit user privileges to the minimum necessary and review API access logs for unusual activity indicative of enumeration attempts. Network segmentation can restrict access to Weblate instances to trusted users only. If upgrading immediately is not feasible, consider disabling or restricting API endpoints related to user notification settings and user listing to trusted administrators. Regularly monitor vulnerability advisories from Weblate and related security communities for updates or emerging exploit reports. Finally, conduct user awareness training to mitigate risks from phishing attacks that could leverage leaked user information.