VYPR
Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026

Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

CVE-2026-27457

Description

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet (weblate/api/views.py, line 2831) uses queryset = Addon.objects.all() without overriding get_queryset() to scope results by user permissions. This allows any authenticated user (or anonymous users if REQUIRE_LOGIN is not set) to list and retrieve ALL addons across all projects and components via GET /api/addons/ and GET /api/addons/{id}/. Version 5.16.1 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
weblatePyPI
< 5.16.15.16.1

Affected products

3

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.