Trust Issues: The 127.0.0.1 Prefix Bypass in Weblate CLI
Jan 12, 2026·5 min read·3 visits
Executive Summary (TL;DR)
The Weblate CLI disabled SSL verification for any URL starting with '127.0.0.1'. Attackers registered domains like '127.0.0.1.attacker.com' to trick the client into trusting their malicious servers, exposing API tokens and translation data.
A critical logic flaw in the Weblate command-line client (wlc) allowed attackers to bypass SSL/TLS verification by crafting URLs that mimic local loopback addresses. By exploiting a naive string prefix check and case-sensitive protocol validation, malicious actors could perform Man-in-the-Middle (MitM) attacks against developers pushing translation updates.
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
wlc WeblateOrg | < 2026-01-07 (Commit a513864) | Jan 2026 Release |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-22250 |
| CVSS v3.1 | 7.5 (High) |
| CWE | CWE-295 (Improper Certificate Validation) |
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Attack Vector | Man-in-the-Middle (MitM) |
| Affected Component | wlc/__init__.py (_should_verify_ssl) |
MITRE ATT&CK Mapping
The software does not validate, or incorrectly validates, a certificate. This allows an attacker to spoof a trusted entity by presenting a certificate that the application accepts.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.