CVE-2026-21889
📋 TL;DR
CVE-2026-21889 is an improper access control vulnerability in Weblate where screenshot images were served directly by the HTTP server without authentication checks. This allows unauthenticated attackers to access sensitive screenshots by guessing filenames. All Weblate instances prior to version 5.15.2 are affected.
💻 Affected Systems
- Weblate
📦 What is this software?
Weblate by Weblate
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could access sensitive screenshots containing proprietary translation data, source code snippets, or confidential information, potentially leading to data breaches and intellectual property theft.
Likely Case
Attackers could access random screenshots containing non-critical translation data, exposing some internal project information but not necessarily high-value secrets.
If Mitigated
With proper access controls, only authorized users can view screenshots, preventing unauthorized data access.
🎯 Exploit Status
Exploitation requires guessing screenshot filenames, which may follow predictable patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.15.2
Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385
Restart Required: Yes
Instructions:
1. Backup your Weblate instance. 2. Update to Weblate 5.15.2 or later using your package manager or deployment method. 3. Restart the Weblate service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict screenshot directory access
allConfigure web server to deny direct access to screenshot directories
# For nginx: location ~ ^/media/screenshots/ { deny all; }
# For Apache: <Directory "/path/to/weblate/media/screenshots"> Require all denied </Directory>
Disable screenshot functionality
allRemove or disable screenshot upload/display features
# Edit Weblate settings to disable screenshots
🧯 If You Can't Patch
- Implement strict network access controls to limit Weblate access to trusted users only.
- Monitor access logs for unusual screenshot file requests and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check if Weblate version is below 5.15.2 and test if unauthenticated users can access screenshot URLs.Check Version:
weblate --version or check Weblate web interface admin panelVerify Fix Applied:
After updating to 5.15.2+, verify that unauthenticated requests to screenshot URLs return proper authentication errors.📡 Detection & Monitoring
Log Indicators:
- Multiple 200/304 responses to screenshot file requests from unauthenticated IPs
- Pattern of sequential or guessed screenshot filename requests
Network Indicators:
- Unusual volume of requests to /media/screenshots/ paths from external IPs
SIEM Query:
source="weblate_access.log" AND (uri_path="/media/screenshots/" OR uri_path LIKE "/media/screenshots/%") AND http_status=200 AND NOT authenticated_user=*