CVE-2025-67715: Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

December 15, 2025 (updated December 20, 2025)

It was possible to retrieve user notification settings or list all users via API.

References

github.com/WeblateOrg/weblate
github.com/WeblateOrg/weblate/pull/17256
github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4
github.com/advisories/GHSA-3pmh-24wp-xpf4
nvd.nist.gov/vuln/detail/CVE-2025-67715

Code Behaviors & Features

Detect and mitigate CVE-2025-67715 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →