CVE-2026-22251
MEDIUM5.3EPSS 0.01%Weblate wlc has insecure API key configuration
Published: 1/12/2026Modified: 2/3/2026
Also known as:GHSA-9rp8-h4g8-8766
Description
### Impact Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server. ### Patches * https://github.com/WeblateOrg/wlc/pull/1098 ### Workarounds Remove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections. ### References This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.
Affected packages (2)
- Debian/wlcfrom 0
- PyPI/wlcfrom 0, < 1.17.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22251
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-22251
- PATCHhttps://github.com/WeblateOrg/wlc
- WEBhttps://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
- WEBhttps://github.com/WeblateOrg/wlc/pull/1098
- WEBhttps://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766