DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-50127: CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate

CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate

Vulnerability ID: CVE-2026-50127
CVSS Score: 5.9
Published: 2026-07-07

A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.

TL;DR

Weblate's outbound URL validator bypassed using IPv6 transition encapsulation (e.g. NAT64 prefixes), allowing unauthenticated attackers to route HTTP and VCS requests to internal-only endpoints.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network (AV:N)
  • CVSS Base Score: 5.9 (Medium)
  • EPSS Score: 0.00291 (0.29%)
  • Exploit Status: Proof of Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • Weblate
  • Weblate: >= 5.15, < 2026.6 (Fixed in: 2026.6)

Code Analysis

Commit: b912803

Version 2026.6.1 Code Commit

Mitigation Strategies

  • Upgrade Weblate to version 2026.6 or later immediately.
  • Establish strict firewall rules to block outbound traffic from the Weblate server to transitional IPv6 ranges.
  • Apply localized network segregation to prevent the application server from accessing cloud metadata endpoints.

Remediation Steps:

  1. Access the local Weblate server administration shell.
  2. Execute the container or application update process to migrate to Weblate version 2026.6.
  3. Ensure the local firewall blocks outgoing requests to 64:ff9b::/96 and 2002::/16 prefixes.

References


Read the full report for CVE-2026-50127 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)