CVE-2026-22251
📋 TL;DR
CVE-2026-22251 is a vulnerability in the wlc Weblate command-line client where unscoped API keys could be inadvertently leaked to different servers. This affects users of wlc versions prior to 1.17.0 who have configured unscoped API keys, potentially exposing their Weblate API credentials.
💻 Affected Systems
- wlc (Weblate command-line client)
📦 What is this software?
Wlc by Weblate
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept or capture API keys, gaining unauthorized access to Weblate instances to modify translations, access sensitive project data, or perform administrative actions depending on key permissions.
Likely Case
API keys could be leaked to unintended servers during normal wlc operations, potentially exposing credentials to third-party services or logging systems.
If Mitigated
With proper network segmentation and monitoring, leaked keys could be detected before exploitation, limiting potential damage.
🎯 Exploit Status
Exploitation requires the attacker to intercept network traffic or access systems where API keys might be leaked. The vulnerability is in the client software, not the Weblate server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.17.0
Vendor Advisory: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
Restart Required: No
Instructions:
1. Update wlc to version 1.17.0 or later using pip: 'pip install --upgrade wlc>=1.17.0' 2. Verify installation with 'wlc --version' 3. Replace any unscoped API keys with scoped API keys in your configuration.
🔧 Temporary Workarounds
Replace unscoped API keys with scoped keys
allReplace any unscoped API keys in wlc configuration with properly scoped API keys that limit permissions
# Generate new scoped API key in Weblate web interface
# Update wlc config: wlc config set api_key YOUR_NEW_SCOPED_KEY
Remove unscoped API key configuration
allTemporarily remove unscoped API keys from wlc configuration until upgrade
# Check current config: wlc config list
# Remove api_key: wlc config unset api_key
🧯 If You Can't Patch
- Immediately replace all unscoped API keys with properly scoped API keys that have minimal necessary permissions
- Implement network monitoring for API key leakage and restrict wlc usage to trusted networks only
🔍 How to Verify
Check if Vulnerable:
Check wlc version with 'wlc --version' and verify if below 1.17.0. Also check if unscoped API keys are configured using 'wlc config list'.Check Version:
wlc --versionVerify Fix Applied:
Confirm wlc version is 1.17.0 or higher with 'wlc --version'. Verify no unscoped API keys are configured.📡 Detection & Monitoring
Log Indicators:
- Unexpected API key usage patterns
- Authentication attempts from unusual locations
- Failed API requests with old/unscoped keys
Network Indicators:
- API key strings in plaintext network traffic
- wlc client connections to unexpected servers
SIEM Query:
source="*wlc*" AND ("api_key" OR "authentication") | stats count by src_ip, dest_ip