Low severityNVD Advisory· Published Nov 6, 2025· Updated Nov 6, 2025
Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log
CVE-2025-64326
Description
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weblatePyPI | < 5.14.1 | 5.14.1 |
Affected products
1- Range: < 5.14.1
Patches
1b847e9756a0afix(accounts): exclude other user events from logging detailed info (#16781)
4 files changed · +50 −3
docs/changes.rst+1 −0 modified@@ -12,6 +12,7 @@ Weblate 5.14.1 .. rubric:: Bug fixes +* Omit admin IP address from audit log. * Counting outgoing commits in the repository status. * Listing of other translations. * SAML configuration in the Docker container.
weblate/accounts/migrations/0021_audit_address.py+35 −0 added@@ -0,0 +1,35 @@ +# Copyright © Michal Čihař <michal@weblate.org> +# +# SPDX-License-Identifier: GPL-3.0-or-later + +# Generated by Django 5.2.6 on 2025-11-01 09:36 + +from django.db import migrations + + +def update_audit_log(apps, schema_editor) -> None: + """Remove detailed audit log info for admin actions.""" + AuditLog = apps.get_model("accounts", "AuditLog") + AuditLog.objects.filter( + activity__in={ + "invited", + "admin-locked", + "autocreated", + "blocked", + "enabled", + "disabled", + "disabled-expiry", + } + ).update(address=None, user_agent="") + + +class Migration(migrations.Migration): + dependencies = [ + ("accounts", "0020_alter_auditlog_activity"), + ] + + operations = [ + migrations.RunPython( + update_audit_log, migrations.RunPython.noop, elidable=True + ), + ]
weblate/accounts/models.py+12 −3 modified@@ -400,10 +400,19 @@ def is_new_login(self, user: User, address, user_agent) -> bool: return not logins.filter(Q(address=address) | Q(user_agent=user_agent)).exists() def create( # type: ignore[override] - self, user: User, request: HttpRequest | None, activity, **params + self, user: User, request: HttpRequest | None, activity: str, **params ): - address = get_ip_address(request) - user_agent = get_user_agent(request) + address: str | None = None + user_agent: str = "" + # Log only address for own actions (unauthenticated or when the request user matches audit user) + if request and ( + not hasattr(request, "user") + or not request.user + or not request.user.is_authenticated + or request.user == user + ): + address = get_ip_address(request) + user_agent = get_user_agent(request) if activity == "login" and self.is_new_login(user, address, user_agent): activity = "login-new" return super().create(
weblate/trans/tests/test_acl.py+2 −0 modified@@ -113,6 +113,8 @@ def add_user(self) -> None: # Ensure user is now listed response = self.client.get(self.access_url) self.assertContains(response, self.second_user.username) + invitation_audit = self.second_user.auditlog_set.get(activity="invited") + self.assertIsNone(invitation_audit.address) def test_invite_invalid(self) -> None: """Test inviting invalid form."""
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-gr35-vpx2-qxhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64326ghsaADVISORY
- github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574ghsaWEB
- github.com/WeblateOrg/weblate/pull/16781ghsax_refsource_MISCWEB
- github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.