CVE-2026-24126
📋 TL;DR
Weblate versions before 5.16.0 have an argument injection vulnerability in the SSH management console when adding SSH host keys. This allows attackers to execute arbitrary commands on the server if they can access the management console. Organizations using Weblate for localization with SSH integration are affected.
💻 Affected Systems
- Weblate
📦 What is this software?
Weblate by Weblate
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the Weblate process, potentially leading to full system compromise, data theft, or lateral movement.
Likely Case
Unauthorized command execution allowing attackers to read sensitive files, modify configurations, or establish persistence on the server.
If Mitigated
Limited impact if console access is properly restricted, potentially only allowing denial of service or limited information disclosure.
🎯 Exploit Status
Exploitation requires access to the SSH management console interface. The vulnerability is in input validation when calling ssh-add.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.16.0
Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-33fm-6gp7-4p47
Restart Required: Yes
Instructions:
1. Backup your Weblate instance and database. 2. Update Weblate to version 5.16.0 or later using your package manager or pip. 3. Restart the Weblate service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict SSH Management Console Access
linuxLimit network access to the Weblate SSH management console using firewall rules or network segmentation.
# Example: Restrict to specific IPs using iptables
iptables -A INPUT -p tcp --dport [WEBLATE_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [WEBLATE_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Weblate SSH management console.
- Disable SSH key management functionality if not required for your workflow.
🔍 How to Verify
Check if Vulnerable:
Check Weblate version via web interface or command line. If version is below 5.16.0 and SSH management is enabled, the system is vulnerable.Check Version:
weblate --version 2>/dev/null || grep 'WEBLATE_VERSION' /etc/weblate/settings.pyVerify Fix Applied:
Confirm Weblate version is 5.16.0 or higher and test SSH key addition functionality with malformed input.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH key addition attempts
- Error messages related to ssh-add command failures
- Multiple failed authentication attempts to management console
Network Indicators:
- Unusual traffic patterns to Weblate SSH management endpoints
- Connection attempts from unexpected sources
SIEM Query:
source="weblate" AND ("ssh-add" OR "ssh key" OR "management console") AND status="error"