CVE-2026-27457

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.16.1

Description Weblate’s REST API AddonViewSet in weblate/api/views.py (line 2831) did not properly restrict access to addon information based on user permissions. Specifically, the queryset = Addon.objects.all() assignment within the viewset allowed any authenticated user, or even anonymous users if REQUIRE LOGIN was not enabled, to list all addons across all projects and components using the GET /api/addons/ and GET /api/addons/{id}/ API endpoints. This allowed unauthorized access to addon configurations.

Recommendations Update to Weblate version 5.16.1 or later.

Exploit

Fix

Missing Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-200

Related Identifiers

CVE-2026-27457

GHSA-WPPC-7CQ7-CGFV

OPENSUSE-SU-2026:10309-1

Affected Products

Weblate

CVE-2026-27457

Weakness Enumeration

Related Identifiers

Affected Products

References · 19