Exposed in Translation: Weblate Static Asset Bypass
Jan 14, 2026·6 min read·2 visits
Executive Summary (TL;DR)
Weblate, a popular localization tool, relied on the web server (Nginx/Apache) to serve media files directly for performance. This created a bypass where private screenshots were served as public static assets, completely ignoring application-level permissions. An attacker who can guess or discover the filename of a screenshot can view it without authentication. The fix involves moving media serving back into the application layer.
A classic architectural disconnect between the web server and the application logic allows unauthenticated users to access private project screenshots in Weblate by bypassing Django's access controls entirely.
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Weblate WeblateOrg | < 5.15.2 | 5.15.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-284 (Improper Access Control) |
| CVSS v4.0 | 2.3 (Low) |
| Attack Vector | Network |
| Attack Complexity | High (Requires guessing filenames) |
| Privileges | None / Low |
| Status | Patched |
MITRE ATT&CK Mapping
The product does not properly restrict access to a resource from an unauthorized actor.
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.