Weblate Project Backup Vulnerability Leads to Potential Remote Code Execution (CVE-2026-33435)

Weblate, a web-based localization tool, contains a vulnerability (CVE-2026-33435) in versions prior to 5.17. The flaw stems from the project backup functionality, which fails to adequately filter Git and Mercurial configuration files. This oversight can be exploited to achieve remote code execution (RCE) under certain circumstances. The vulnerability was reported and patched in version 5.17. Mitigation steps for unpatched systems involve restricting access to the project backup feature, as it is limited to users with project creation privileges. This vulnerability poses a significant risk, as successful exploitation can lead to complete system compromise, data breaches, and further malicious activities.

Attack Chain

1. An attacker gains access to a Weblate account with project creation privileges.
2. The attacker creates a malicious project containing crafted Git or Mercurial configuration files.
3. The attacker triggers a project backup.
4. The backup process fails to properly sanitize the malicious configuration files.
5. The backup is stored on the server, potentially overwriting existing files.
6. The Weblate server attempts to process or utilize the tainted configuration files.
7. Due to improper sanitization, the malicious configuration files trigger command execution within the Weblate server’s environment.
8. The attacker achieves remote code execution, gaining control over the Weblate server.

Impact

Successful exploitation of CVE-2026-33435 can lead to remote code execution on the Weblate server. The impact includes potential data breaches, unauthorized access to localization projects, and complete compromise of the affected system. While the exact number of affected installations is unknown, organizations using vulnerable versions of Weblate risk significant operational disruption and data loss. Sectors utilizing Weblate for localization, such as software development, content creation, and e-commerce, are at increased risk.

Recommendation

• Upgrade Weblate to version 5.17 or later to patch CVE-2026-33435.
• If upgrading is not immediately feasible, restrict access to the project backup feature to only trusted users as recommended in the CVE description.
• Monitor web server logs for unusual activity related to project backup downloads, focusing on requests to /admin/backup/ paths. Use the provided Sigma rule to detect unusual file downloads from the webserver.
• Implement the provided Sigma rule to detect suspicious file uploads of git configuration files.