{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.314Z", "datePublished": "2026-04-15T17:51:46.812Z", "dateUpdated": "2026-04-15T20:02:14.057Z"}, "containers": {"cna": {"title": "Weblate has improper access control for the translation memory API", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r"}, {"name": "https://github.com/WeblateOrg/weblate/pull/18513", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/weblate/pull/18513"}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"version": "< 5.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:51:46.812Z"}, "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature."}], "source": {"advisory": "GHSA-mpf5-3vph-q75r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:31:35.155126Z", "id": "CVE-2026-33214", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:02:14.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:31:35.155126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:32:45.655Z"}}], "cna": {"title": "Weblate has improper access control for the translation memory API", "source": {"advisory": "GHSA-mpf5-3vph-q75r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WeblateOrg", "product": "weblate", "versions": [{"status": "affected", "version": "< 5.17"}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "name": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/18513", "name": "https://github.com/WeblateOrg/weblate/pull/18513", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:51:46.812Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33214", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:02:14.057Z", "dateReserved": "2026-03-17T23:23:58.314Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T17:51:46.812Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue by blocking access to /api/memory/ in the HTTP server, which removes access to this feature."}], "id": "CVE-2026-33214", "lastModified": "2026-04-15T18:17:20.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T18:17:20.053", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/pull/18513"}, {"source": "security-advisories@github.com", "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.17)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "weblate", "source": "cna", "vendor": "WeblateOrg"}, "product": "weblate", "vendor": "weblate"}], "analysis": {"en": {"generated_at": "2026-04-16T09:10:52.098561+00:00", "value": {"mitigation_remediation": ["Upgrade Weblate to version 5.17 or later to apply the vendor fix.", "If an upgrade is not immediately possible, block or deny HTTP access to the /api/memory/ path in the web or reverse\u2011proxy server to remove the vulnerable functionality.", "Implement or enforce proper authorization controls on all API endpoints to prevent unauthenticated or insufficiently privileged users from accessing translation memory data."], "summary": {"action": "Patch Update", "impact": "Unauthorized access to translation memory data"}, "threat_synthesis": {"affected_systems": "The issue affects installations of Weblate running any version earlier than 5.17. The vendor is WeblateOrg, product Weblate. The fix was introduced in 5.17 and later releases. No specific scoped version list is provided beyond the threshold.", "description_and_impact": "The translation memory API in Weblate enables developers and translators to store and retrieve translation suggestions across projects. Prior to version 5.17 the API exposed additional endpoints that omitted the required authorization checks. As a result, any authenticated user who could reach the endpoints could read or otherwise manipulate translation memory data, exposing potentially confidential translation strings and other sensitive information. This vulnerability is a missing authorization flaw, classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score is 4.3, placing it in the low\u2011moderate range. No EPSS data is available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Because the affected endpoints are exposed over HTTP, the likely attack vector is remote over the network. An attacker who gains network connectivity to the Weblate instance could exploit the exposure, potentially revealing confidential translation memory data."}}}}, "created": "2026-04-16T09:12:37.518815+00:00", "updated": "2026-04-16T09:15:30.987579+00:00", "vendors": ["weblate", "weblate$PRODUCT$weblate"]}