Moderate severityOSV Advisory· Published Jan 12, 2026· Updated Jan 12, 2026
wlc may leak API keys due to an insecure API key configuration
CVE-2026-22251
Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wlcPyPI | < 1.17.0 | 1.17.0 |
Affected products
2- Range: 0.1, 0.10, 0.2, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9rp8-h4g8-8766ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22251ghsaADVISORY
- github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797ghsax_refsource_MISCWEB
- github.com/WeblateOrg/wlc/pull/1098ghsax_refsource_MISCWEB
- github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.