CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate
Vulnerability ID: CVE-2026-50127
CVSS Score: 5.9
Published: 2026-07-07
A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.
TL;DR
Weblate's outbound URL validator bypassed using IPv6 transition encapsulation (e.g. NAT64 prefixes), allowing unauthenticated attackers to route HTTP and VCS requests to internal-only endpoints.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network (AV:N)
- CVSS Base Score: 5.9 (Medium)
- EPSS Score: 0.00291 (0.29%)
- Exploit Status: Proof of Concept
- CISA KEV Status: Not Listed
Affected Systems
- Weblate
-
Weblate: >= 5.15, < 2026.6 (Fixed in:
2026.6)
Code Analysis
Commit: b912803
Version 2026.6.1 Code Commit
Mitigation Strategies
- Upgrade Weblate to version 2026.6 or later immediately.
- Establish strict firewall rules to block outbound traffic from the Weblate server to transitional IPv6 ranges.
- Apply localized network segregation to prevent the application server from accessing cloud metadata endpoints.
Remediation Steps:
- Access the local Weblate server administration shell.
- Execute the container or application update process to migrate to Weblate version 2026.6.
- Ensure the local firewall blocks outgoing requests to 64:ff9b::/96 and 2002::/16 prefixes.
References
- Weblate Security Advisory GHSA-vmfc-9982-2m45
- CVE-2026-50127 Record on CVE.org
- Weblate 2026.6 Release Notes
Read the full report for CVE-2026-50127 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)