CVE-2026-33212 — Weblate: Improper access control for pending tasks in API

Description

### Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. ### Patches * https://github.com/WeblateOrg/weblate/pull/18515 ### Workarounds The attacker needs to guess the random UUID of the task, so exploiting this is unlikely with the default API rate limits. ### References This issue was identified by Michal Čihař.

How to fix CVE-2026-33212

To remediate CVE-2026-33212, upgrade the affected package to a fixed version below.

—upgrade to 5.17 or later

Is CVE-2026-33212 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33212
PATCHgithub.com/WeblateOrg/weblate
WEBgithub.com/WeblateOrg/weblate/commit/4e06b12cd05d087db68384e09d5f70fe883f2b70
WEBgithub.com/WeblateOrg/weblate/pull/18515