CVE-2026-33214: Weblate: Improper access control for the translation memory in API

April 16, 2026 (updated June 8, 2026)

The translation memory API exposed unintended endpoints, which in turn didn’t do proper access control.

References

github.com/WeblateOrg/weblate/pull/18513
github.com/WeblateOrg/weblate/security/advisories/GHSA-mpf5-3vph-q75r
github.com/advisories/GHSA-mpf5-3vph-q75r
github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-152.yaml
nvd.nist.gov/vuln/detail/CVE-2026-33214

Code Behaviors & Features

Detect and mitigate CVE-2026-33214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →