Low severityNVD Advisory· Published Jun 16, 2025· Updated Jun 17, 2025

Weblate exposes personal IP address via e-mail

CVE-2025-49134

Description

Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
weblatePyPI	< 5.12	5.12

Affected products

Weblateorg/Weblatev5
Range: < 5.12

Patches

020b2905e4d0

feat: anonymize IP address in notificatin mails

https://github.com/WeblateOrg/weblateMichal ČihařJun 9, 2025via ghsa

commit

5 files changed · +45 −2

weblate/accounts/models.py+10 −0 modified

@@ -8,6 +8,7 @@
 import logging
 import re
 from datetime import timedelta
+from ipaddress import IPv6Network, ip_network
 from typing import TYPE_CHECKING, Literal
 from urllib.parse import urlparse
 
@@ -518,6 +519,15 @@ def check_rate_limit(self, request: AuthenticatedHttpRequest) -> bool:
 
         return False
 
+    @property
+    def shortened_address(self) -> str:
+        if not self.address:
+            return ""
+        network = ip_network(self.address)
+        prefix_len = 48 if isinstance(network, IPv6Network) else 16
+        supernet = network.supernet(new_prefix=prefix_len)
+        return str(supernet.network_address)
+
 
 class VerifiedEmail(models.Model):
     """Storage for verified e-mails from auth backends."""

weblate/accounts/tasks.py+2 −2 modified

@@ -147,7 +147,7 @@ def notify_monthly() -> None:
 
 
 @app.task(trail=False)
-def notify_auditlog(log_id, email) -> None:
+def notify_auditlog(log_id: int, email: str) -> None:
     from weblate.accounts.models import AuditLog
     from weblate.accounts.notifications import send_notification_email
 
@@ -159,7 +159,7 @@ def notify_auditlog(log_id, email) -> None:
         context={
             "message": audit.get_message,
             "extra_message": audit.get_extra_message,
-            "address": audit.address,
+            "address": audit.shortened_address,
             "user_agent": audit.user_agent,
         },
         info=f"{audit.activity} from {audit.address}",

weblate/accounts/tests/test_models.py+29 −0 added

@@ -0,0 +1,29 @@
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""Tests for notitifications."""
+
+from __future__ import annotations
+
+from django.test import SimpleTestCase
+
+from weblate.accounts.models import AuditLog
+
+
+class AuditLogTestCase(SimpleTestCase):
+    def test_address_ipv4(self):
+        audit = AuditLog(address="127.0.0.1")
+        self.assertEqual(audit.shortened_address, "127.0.0.0")
+
+    def test_address_ipv6_local(self):
+        audit = AuditLog(address="fe80::54c2:1234:5678:90ab")
+        self.assertEqual(audit.shortened_address, "fe80::")
+
+    def test_address_ipv6_weblate(self):
+        audit = AuditLog(address="2a01:4f8:c0c:a84b::1")
+        self.assertEqual(audit.shortened_address, "2a01:4f8:c0c::")
+
+    def test_address_blank(self):
+        audit = AuditLog()
+        self.assertEqual(audit.shortened_address, "")

weblate/accounts/tests/test_notifications.py+2 −0 modified

@@ -409,6 +409,8 @@ def test_notify_account(self) -> None:
         # Verify site root expansion in email
         content = mail.outbox[0].alternatives[0][0]
         self.assertNotIn('href="/', content)
+        # Shortened address is used
+        self.assertIn("<td>127.0.0.0</td>", content)
 
     def test_notify_html_language(self) -> None:
         self.user.profile.language = "cs"

weblate/templates/mail/shared-activity.html+2 −0 modified

@@ -18,9 +18,11 @@
 </table>
 
 <p>
+  {% blocktranslate %}Sign in to see the full audit log, including the IP address.{% endblocktranslate %}
   {% blocktranslate %}If you didn’t initiate this, please report it to the server administrators by clicking the button below.{% endblocktranslate %}
 </p>
 
 <div class="line buttons">
+  <a class="button" href="{% url 'profile' %}#audit">{% translate "View audit log" %}</a>
   <a class="button" href="{% url 'contact' %}?t=account">{% translate "Report" %}</a>
 </div>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4qqf-9m5c-w2c5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-49134ghsaADVISORY
github.com/WeblateOrg/weblate/commit/020b2905e4d001cff2452574d10e6cf3621b5f62ghsax_refsource_MISCWEB
github.com/WeblateOrg/weblate/pull/15102ghsax_refsource_MISCWEB
github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1ghsax_refsource_MISCWEB
github.com/WeblateOrg/weblate/security/advisories/GHSA-4qqf-9m5c-w2c5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000