CVE-2026-33212: CWE-284: Improper Access Control in WeblateOrg weblate
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.
AI Analysis
Technical Summary
Weblate before version 5.17 contains an access control flaw (CWE-284) in its tasks API where user permissions were not verified for pending tasks. This flaw could allow unauthorized users to access logs of ongoing tasks if they successfully brute-force the task's random UUID. The difficulty of exploitation is increased by API rate limiting. The issue was resolved in version 5.17 of Weblate.
Potential Impact
Unauthorized users with low privileges could gain read access to logs of in-progress tasks, potentially exposing sensitive operational information. There is no impact on integrity or availability. Exploitation likelihood is low due to the need to brute-force UUIDs and existing rate limits.
Mitigation Recommendations
Upgrade Weblate to version 5.17 or later where this vulnerability is fixed. No other mitigation is indicated or required.
CVE-2026-33212: CWE-284: Improper Access Control in WeblateOrg weblate
Description
Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Weblate before version 5.17 contains an access control flaw (CWE-284) in its tasks API where user permissions were not verified for pending tasks. This flaw could allow unauthorized users to access logs of ongoing tasks if they successfully brute-force the task's random UUID. The difficulty of exploitation is increased by API rate limiting. The issue was resolved in version 5.17 of Weblate.
Potential Impact
Unauthorized users with low privileges could gain read access to logs of in-progress tasks, potentially exposing sensitive operational information. There is no impact on integrity or availability. Exploitation likelihood is low due to the need to brute-force UUIDs and existing rate limits.
Mitigation Recommendations
Upgrade Weblate to version 5.17 or later where this vulnerability is fixed. No other mitigation is indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T23:23:58.313Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfd29182d89c981f86fbb4
Added to database: 4/15/2026, 6:01:53 PM
Last enriched: 4/15/2026, 6:16:53 PM
Last updated: 4/15/2026, 7:09:05 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.