CVE-2026-22251

The Key to the Kingdom: Unscoped Credential Leakage in Weblate wlc

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 12, 2026·6 min read·4 visits

Executive Summary (TL;DR)

For years, the Weblate CLI tool allowed users to define a 'global' API key in their config file. While convenient, this was a security disaster waiting to happen. If a user ran a command against a malicious Weblate instance (or was tricked into doing so), the client would happily send this global key in the Authorization header. Version 1.17.0 kills this behavior by forcing URL-scoped keys.

A logic flaw in the Weblate command-line client (wlc) configuration parser allowed global API keys to be transmitted to arbitrary, potentially malicious servers.

Official Patches

WeblateCommit fixing the fallback logic
WeblatePyPI release 1.17.0

Fix Analysis (1)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Affected Systems

Weblate command-line client (wlc) < 1.17.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
wlc
WeblateOrg
< 1.17.01.17.0
AttributeDetail
CWE IDCWE-200
CVSS v3.15.3
Attack VectorLocal (User Interaction Required)
ImpactCredential Leakage
LanguagePython
Componentwlc/config.py

MITRE ATT&CK Mapping

T1552Unsecured Credentials
Credential Access
T1204User Execution
Execution
T1566Phishing
Initial Access
CWE-200
Information Exposure

Exposure of Sensitive Information to an Unauthorized Actor

Known Exploits & Detection

TheoreticalExploitation requires coercing a user to run wlc against an attacker-controlled URL.

Vulnerability Timeline

Fix committed to GitHub
2024-01-24
Version 1.17.0 Released
2024-01-24

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.