CVE-2026-22251: Weblate wlc has insecure API key configuration

January 12, 2026

Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.

References

github.com/WeblateOrg/wlc
github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
github.com/WeblateOrg/wlc/pull/1098
github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
github.com/advisories/GHSA-9rp8-h4g8-8766
nvd.nist.gov/vuln/detail/CVE-2026-22251

Code Behaviors & Features

Detect and mitigate CVE-2026-22251 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →