Weblate is a web-based localization tool used to manage translations and related components. In versions prior to 5.16.1, the REST API endpoint responsible for managing addons (AddonViewSet in weblate/api/views.py at line 2831) suffers from a missing authorization control vulnerability (CWE-862). Specifically, the API uses a queryset that returns all Addon objects (Addon.objects.all()) without overriding the get_queryset() method to filter results based on the requesting user's permissions. This results in any authenticated user being able to access the full list of addons and retrieve details of any addon across all projects and components via the GET /api/addons/ and GET /api/addons/{id}/ endpoints. If the Weblate instance is configured without requiring login (REQUIRE_LOGIN not set), even anonymous users can exploit this flaw. The vulnerability does not allow modification or deletion of data, so integrity and availability are not impacted, but confidentiality is compromised as unauthorized users gain access to potentially sensitive addon data. The issue was addressed and fixed in Weblate version 5.16.1 by properly scoping the queryset to user permissions. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited impact and requirement for at least authentication in most configurations.

The primary impact of this vulnerability is unauthorized disclosure of addon information across all projects and components managed by Weblate. Organizations using affected versions may inadvertently expose sensitive metadata or configuration details about their localization addons to unauthorized users. This could aid attackers in reconnaissance efforts or reveal proprietary or confidential project information. Since the vulnerability does not allow modification or deletion, the risk to data integrity and system availability is low. However, the exposure of internal addon data could have compliance or privacy implications depending on the nature of the information contained within the addons. The risk is higher in environments where anonymous access is allowed, as unauthenticated attackers could exploit the flaw. Organizations relying heavily on Weblate for localization in software development, especially those with sensitive or proprietary projects, are at risk of information leakage until they upgrade to version 5.16.1 or apply equivalent access control measures.

To mitigate this vulnerability, organizations should upgrade Weblate to version 5.16.1 or later, where the issue is fixed by scoping the AddonViewSet queryset to user permissions. If immediate upgrade is not possible, administrators should ensure that the REQUIRE_LOGIN setting is enabled to prevent anonymous access to the API. Additionally, implementing network-level access controls such as IP whitelisting or VPN requirements for accessing the Weblate instance can reduce exposure. Monitoring API access logs for unusual or unauthorized addon enumeration attempts can help detect exploitation attempts. Reviewing and restricting user permissions to the minimum necessary can also limit the impact. Finally, consider conducting a security review of other API endpoints to ensure proper authorization checks are consistently enforced.