CVE-2026-22251 is a vulnerability identified in the Weblate command-line client (wlc), which interfaces with Weblate's REST API to facilitate localization workflows. Prior to version 1.17.0, wlc allowed the use of unscoped API keys in its configuration settings. Unscoped API keys are broad in their permissions and not limited to specific repositories or actions, increasing the risk if exposed. Although the use of unscoped keys was discouraged for years, the code supporting them was never removed, creating a latent security risk. This vulnerability (classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) can lead to the leakage of these unscoped API keys to unintended servers, potentially through misconfigurations or network interactions initiated by the client. The CVSS 3.1 vector indicates that exploitation requires local access (AV:L), high attack complexity (AC:H), limited privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits have been reported in the wild, but the risk remains significant due to the sensitive nature of API keys, which if compromised, could allow unauthorized access to Weblate projects and data. The vulnerability was publicly disclosed in January 2026, and no official patch links are currently provided, emphasizing the importance of upgrading to version 1.17.0 or later where this issue is addressed.

For European organizations, the exposure of unscoped API keys in wlc can lead to unauthorized access to sensitive localization projects, potentially leaking proprietary or confidential translation data. This could result in intellectual property theft, reputational damage, and compliance issues, especially under GDPR if personal data is involved in translations. The impact is heightened in organizations with distributed teams relying heavily on automated localization pipelines using wlc. Since exploitation requires local access and user interaction, insider threats or compromised endpoints pose a significant risk vector. The vulnerability does not affect data integrity or system availability directly but compromises confidentiality, which is critical for organizations managing sensitive content. Additionally, unauthorized access could facilitate further lateral movement or data exfiltration within the network. The medium severity rating suggests a moderate but non-trivial risk, warranting prompt remediation to prevent potential escalation.

European organizations should immediately upgrade wlc to version 1.17.0 or later, where support for unscoped API keys has been removed. Audit all API keys used with wlc to ensure they are scoped with the minimum necessary permissions, avoiding broad or unscoped keys. Implement strict access controls and rotate API keys regularly to limit exposure duration. Educate users on the risks of using unscoped keys and the importance of following secure key management practices. Monitor network traffic and API usage logs for unusual or unauthorized access patterns that could indicate key leakage or misuse. Employ endpoint security measures to reduce the risk of local compromise and enforce least privilege principles for users operating wlc. Where possible, isolate localization workflows and restrict the environments in which wlc is used to minimize exposure. Finally, maintain up-to-date inventories of software versions and dependencies to quickly identify and remediate vulnerable instances.