CVE-2025-64326
📋 TL;DR
Weblate versions 5.14 and below expose the IP address of project administrators in audit logs when inviting users to projects. This information leakage allows invited users to view the IP addresses of administrators who performed invitation actions. The vulnerability affects all Weblate instances running vulnerable versions.
💻 Affected Systems
- Weblate
📦 What is this software?
Weblate by Weblate
⚠️ Risk & Real-World Impact
Worst Case
An attacker could correlate administrator IP addresses with other intelligence to identify administrator locations, potentially enabling physical security threats or targeted attacks against administrators.
Likely Case
Invited users can see administrator IP addresses, which reveals network information about administrators but doesn't directly compromise system security.
If Mitigated
With proper network segmentation and administrator systems using VPNs or proxies, the exposed IP addresses would be less sensitive.
🎯 Exploit Status
Exploitation requires being an invited user with access to view audit logs. No special tools or techniques are needed beyond normal user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.14.1
Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc
Restart Required: Yes
Instructions:
1. Backup your Weblate instance and database
2. Update Weblate to version 5.14.1 using your package manager or installation method
3. Restart the Weblate service
4. Verify the update was successful
🔧 Temporary Workarounds
Disable audit logging for user invitations
allModify Weblate configuration to exclude IP addresses from audit logs for invitation events
Modify settings.py: AUDITLOG_EXCLUDE = ['weblate.accounts.models.Profile']
Restrict audit log access
allLimit which users can view audit logs to prevent exposure of IP addresses
Configure Weblate permissions to restrict 'weblate.accounts.auditlog' access to administrators only
🧯 If You Can't Patch
- Restrict audit log viewing permissions to administrators only
- Implement network-level controls to mask administrator IP addresses using proxies or VPNs
🔍 How to Verify
Check if Vulnerable:
Check if Weblate version is 5.14 or below and verify that invited users can view audit logs containing IP addresses from invitation events.Check Version:
weblate --version or check Weblate web interface admin panelVerify Fix Applied:
After updating to 5.14.1, verify that audit logs no longer show IP addresses for invitation events when viewed by non-administrator users.📡 Detection & Monitoring
Log Indicators:
- Audit log entries containing IP addresses for 'invitation' events visible to non-admin users
Network Indicators:
- No network-based indicators as this is an information disclosure at application level
SIEM Query:
Weblate audit logs containing 'invitation' events with IP address fields visible to user accounts