Weblate is a web-based localization platform that facilitates collaborative translation management. In versions prior to 5.16.1, the REST API endpoint responsible for managing addons (AddonViewSet in weblate/api/views.py at line 2831) improperly handles authorization. Specifically, it uses a queryset defined as Addon.objects.all() without overriding the get_queryset() method to filter results based on the requesting user's permissions. This results in any authenticated user being able to access the full list of addons and retrieve details for any addon across all projects and components via the GET /api/addons/ and GET /api/addons/{id}/ endpoints. If the Weblate instance is configured without requiring login (REQUIRE_LOGIN not set), even anonymous users can exploit this flaw. The vulnerability corresponds to CWE-862 (Missing Authorization) and CWE-200 (Information Exposure). Although the flaw does not allow modification or deletion of data, it exposes potentially sensitive addon information to unauthorized users. The issue was addressed in Weblate version 5.16.1 by properly scoping the queryset to user permissions, thereby enforcing authorization checks. There are no known exploits in the wild as of the publication date, and the CVSS v3.1 base score is 4.3, reflecting a medium severity impact primarily on confidentiality with low attack complexity and requiring at least authenticated access unless login is disabled.

The primary impact of CVE-2026-27457 is unauthorized disclosure of addon information within Weblate instances. This can lead to exposure of sensitive metadata about addons, which may include configuration details or other information that could aid an attacker in further reconnaissance or targeted attacks. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could undermine trust in the localization platform and potentially expose intellectual property or internal project details. Organizations relying on Weblate for managing translations across multiple projects may inadvertently expose addon data to unauthorized users, increasing the risk of information leakage. The impact is more pronounced in environments where REQUIRE_LOGIN is disabled, allowing anonymous access. Given Weblate's use in open source and enterprise environments worldwide, the vulnerability could affect a broad range of organizations, especially those with sensitive or proprietary localization workflows.

To mitigate this vulnerability, organizations should upgrade Weblate to version 5.16.1 or later, where the authorization checks are properly implemented. If immediate upgrade is not feasible, administrators should ensure that the REQUIRE_LOGIN setting is enabled to prevent anonymous access to the API endpoints. Additionally, restricting API access through network controls such as IP whitelisting or VPN-only access can reduce exposure. Monitoring API access logs for unusual or unauthorized requests to /api/addons/ endpoints can help detect exploitation attempts. Implementing role-based access controls and reviewing user permissions regularly will further limit the risk. Finally, organizations should audit their Weblate configurations and addon data to assess any potential information exposure and take corrective actions as needed.