The Key to the Kingdom: Unscoped Credential Leakage in Weblate wlc
Vulnerability ID: CVE-2026-22251
CVSS Score: 5.3
Published: 2026-01-12
A logic flaw in the Weblate command-line client (wlc) configuration parser allowed global API keys to be transmitted to arbitrary, potentially malicious servers.
TL;DR
For years, the Weblate CLI tool allowed users to define a 'global' API key in their config file. While convenient, this was a security disaster waiting to happen. If a user ran a command against a malicious Weblate instance (or was tricked into doing so), the client would happily send this global key in the Authorization header. Version 1.17.0 kills this behavior by forcing URL-scoped keys.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200
- CVSS v3.1: 5.3
- Attack Vector: Local (User Interaction Required)
- Impact: Credential Leakage
- Language: Python
- Component: wlc/config.py
Affected Systems
- Weblate command-line client (wlc) < 1.17.0
-
wlc: < 1.17.0 (Fixed in:
1.17.0)
Code Analysis
Commit: aafdb50
Fixed insecure key configuration fallback in wlc
--- a/wlc/config.py
+++ b/wlc/config.py
- key = self.cli_key or cast("str", self.get("keys", url, fallback=self.config.get("weblate", "key")))
+ key = self.cli_key or cast("str", self.get("keys", url, fallback=""))
Exploit Details
- Theoretical: Exploitation requires coercing a user to run wlc against an attacker-controlled URL.
Mitigation Strategies
- Strict credential scoping (binding keys to specific URLs)
- Elimination of fallback logic in configuration parsers
- User education regarding social engineering via CLI arguments
Remediation Steps:
- Upgrade
wlcto version 1.17.0 or higher immediately. - Edit
~/.config/wlc/weblate.inior local.weblateconfiguration files. - Remove the
keyentry from the[weblate]section. - Add a
[keys]section mapping specific URLs to their respective API keys.
References
Read the full report for CVE-2026-22251 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)