CVE-2026-21889 identifies an improper access control vulnerability (CWE-284) in Weblate, a web-based localization platform widely used for managing software translation projects. Prior to version 5.15.2, Weblate served screenshot images directly through its HTTP server without enforcing proper access controls. This design flaw means that an unauthenticated attacker could potentially retrieve screenshot images by guessing or enumerating their filenames, as no authentication or authorization checks were applied to these resources. Screenshots often contain user interface elements or localized content that may reveal sensitive project information or internal development details. The vulnerability does not require user interaction or authentication, but the attack complexity is high because the attacker must guess valid filenames, which may be non-trivial depending on the naming scheme. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:L), no user interaction (UI:N), and low confidentiality impact (VC:L). There are no known exploits in the wild, and the issue was addressed by implementing proper access control mechanisms in Weblate version 5.15.2. This fix ensures that screenshot images are no longer accessible without appropriate permissions, mitigating the risk of unauthorized data disclosure.

For European organizations using Weblate versions prior to 5.15.2, this vulnerability could lead to unauthorized disclosure of screenshot images related to localization projects. While the confidentiality impact is low, the exposure of screenshots might reveal internal UI designs, translation progress, or sensitive project details that could aid further reconnaissance or social engineering attacks. The integrity and availability of systems are not affected. The low severity and high attack complexity reduce the likelihood of widespread exploitation, but organizations with strict data privacy requirements or sensitive localization content may face compliance or reputational risks if screenshots are exposed. Since Weblate is popular among open source communities and enterprises managing multilingual software, the impact is more pronounced in sectors relying heavily on software localization and development transparency.

European organizations should immediately upgrade Weblate installations to version 5.15.2 or later to ensure the vulnerability is patched. If upgrading is not immediately feasible, administrators should restrict HTTP access to the directory or endpoint serving screenshot images using web server configuration (e.g., access control lists, IP whitelisting, or authentication requirements). Implementing strong filename randomization or obfuscation can reduce the risk of successful filename guessing. Regularly audit web server logs for suspicious access attempts to screenshot resources. Additionally, organizations should review their localization project data to assess the sensitivity of exposed screenshots and consider removing or redacting sensitive images. Incorporating access control policies and secure coding practices in localization tools will help prevent similar issues in the future.