MEDIUM 5.9

CVE-2026-50127: Weblate VCS_RESTRICT_PRIVATE IP Range Bypass (CVSS 5.9)

Weblate, a web-based localization platform, contained a network access control bypass in its VCS_RESTRICT_PRIVATE feature. Between versions 5.15 and before 2026.6, the feature failed to properly recognize certain IPv6 address ranges, IPv4 semi-private ranges, and multicast addresses as restricted. This allowed requests from those network addresses to bypass intended private-range restrictions, potentially enabling unauthorized access to internal resources or services that should have been isolated. The vulnerability has been resolved in version 2026.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The VCS_RESTRICT_PRIVATE mechanism in Weblate is designed to prevent version control system operations from addresses in private IP ranges—a common security control to isolate internal infrastructure. The implementation incorrectly classified certain address families as external when they should have been treated as restricted. Specifically, the vulnerability affects transitional IPv6 ranges (such as IPv4-mapped IPv6 addresses and other legacy bridging mechanisms), IPv6 multicast and anycast ranges, and semi-private IPv4 ranges that fall outside the standard RFC 1918 private blocks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). An attacker could craft requests using these overlooked address ranges to circumvent the intended isolation, potentially accessing backend services or triggering unintended VCS operations. The underlying flaw is a logic error in IP range validation (CWE-918: Server-Side Request Forgery).

Business impact

Organizations using Weblate in environments where VCS_RESTRICT_PRIVATE is relied upon for security isolation face elevated risk of unauthorized access to version control systems or related backend infrastructure. If Weblate is deployed in a hybrid or cloud environment where network boundaries are porous, or where it sits adjacent to other critical systems, an attacker could leverage these overlooked IP ranges to bypass intended restrictions and potentially exfiltrate source code, modify translations maliciously, or trigger downstream build and deployment pipelines. The impact is most acute for teams treating the private-range restriction as a primary security boundary rather than one layer of defense.

Affected systems

Weblate versions 5.15 through 2026.5 (inclusive) are affected. The vulnerability does not apply to versions before 5.15 or version 2026.6 and later. Affected installations must be running one of these intermediate versions with VCS_RESTRICT_PRIVATE enabled. Verify your installed version by checking the Weblate admin interface or deployment logs.

Exploitability

Exploitation requires network-layer access to reach the Weblate instance and knowledge of the VCS_RESTRICT_PRIVATE configuration. The attacker must craft requests using one of the overlooked IP ranges (specific transitional IPv6 blocks, multicast ranges, or semi-private IPv4 ranges). The CVSS score of 5.9 (Medium) reflects that while the attack vector is network-accessible and requires no authentication or user interaction, the conditions are somewhat specialized—the attacker must be aware of and able to originate traffic from the specific unfiltered ranges. This is not an easy, widespread exploit, but is feasible for determined adversaries in positions to influence network routing or source addresses.

Remediation

Upgrade Weblate to version 2026.6 or later. This release corrects the IP range validation logic to properly recognize all transitional IPv6 ranges, multicast addresses, and semi-private IPv4 ranges. There are no known workarounds for prior versions; patching is the recommended mitigation. Organizations unable to patch immediately should implement network-level controls (firewall rules, WAF policies, or reverse-proxy filters) to restrict access to the Weblate instance to known trusted networks.

Patch guidance

Weblate administrators should update to version 2026.6 via the standard upgrade process documented in the Weblate deployment guide. The patch modifies the VCS_RESTRICT_PRIVATE validation function to use a comprehensive allowlist of restricted IPv6 and IPv4 ranges, including RFC 4291 transitional formats, link-local and multicast blocks, and semi-private ranges beyond RFC 1918. Test the upgrade in a staging environment first to ensure no integration regressions with your VCS backend (Git, Mercurial, etc.). After upgrade, verify that the private-range filtering is functioning by reviewing Weblate's access logs and confirming that requests from the previously overlooked ranges are now blocked or logged.

Detection guidance

Monitor Weblate access logs and version control system audit trails for unusual request patterns originating from unusual IP addresses—particularly those in IPv6 ranges (fe80::/10 link-local, ff00::/8 multicast, 2001:db8::/32 documentation), IPv4 ranges like 169.254.0.0/16 (link-local), 100.64.0.0/10 (shared address space), or 240.0.0.0/4 (reserved). Look for VCS operations (clone, push, pull, commit) that correlate with these addresses and do not correspond to known internal infrastructure. If you maintain network flow data, search for outbound connections from Weblate instances to backend version control servers with source addresses in these ranges. Check Weblate's application logs for any errors or unusual behavior around the VCS_RESTRICT_PRIVATE feature itself.

Why prioritize this

This vulnerability merits prompt but not emergency remediation. The CVSS score is Medium (5.9), and real-world exploitation requires both network-layer sophistication and specific knowledge of the feature and overlooked ranges. However, if your Weblate instance serves as a gateway to sensitive source code or is positioned in a trust boundary, upgrade sooner. Organizations in fully airgapped or strictly controlled network environments face lower practical risk. Prioritize this alongside other medium-severity patches in your regular cycle, but don't delay beyond the next quarterly patch window.

Risk score, explained

CVSS 5.9 (Medium) reflects a network-accessible vulnerability (AV:N) that requires high complexity to exploit (AC:H)—the attacker must identify and originate traffic from specific overlooked IP ranges. No authentication or user interaction is required (PR:N, UI:N). The impact scope is unchanged (S:U), and confidentiality impact is high (C:H) because an attacker could read or clone sensitive repositories. Integrity and availability impacts are rated as none (I:N, A:N) under the base CVSS model, though in practice, malicious VCS operations could affect both. The AC:H factor is the main reason this is Medium rather than High; real-world attack surface is limited to organizations and network topologies where the attacker can source or route traffic through those specific address ranges.

Frequently asked questions

Do I need to update if VCS_RESTRICT_PRIVATE is disabled in my Weblate configuration?

No, this vulnerability only affects instances where VCS_RESTRICT_PRIVATE is explicitly enabled. If you have disabled the feature or never configured it, you are not exposed. However, we recommend reviewing your network access policies to version control systems regardless, as other controls may be necessary.

What are 'semi-private' and 'transitional' IPv6 ranges, and why are they a risk here?

Semi-private IPv4 ranges (like 100.64.0.0/10, used for carrier-grade NAT) and transitional IPv6 ranges (like ::ffff:0:0/96, used to map IPv4 addresses into IPv6 space) are used in modern networks but are often overlooked in security filters because they're not as well-known as RFC 1918 private ranges. An attacker able to send traffic with a source address in one of these ranges could convince Weblate to treat it as 'private' and therefore trusted, when it shouldn't be.

Can I patch Weblate without downtime?

This depends on your deployment model. If you run Weblate in a container or use a blue-green deployment strategy, patching can often be performed with zero or minimal downtime. If you run a single-instance traditional server, plan for a brief service window. Review the Weblate upgrade guide and test the process in staging before applying to production.

Is there a way to temporarily mitigate this without upgrading?

Implement firewall or reverse-proxy rules to restrict network access to your Weblate instance to known trusted networks only. A WAF can also be configured to block requests with source IPs from the problematic ranges (IPv6 fe80::/10, ff00::/8; IPv4 169.254.0.0/16, 100.64.0.0/10, 240.0.0.0/4). This is not a substitute for patching but reduces attack surface while you plan your upgrade.

This analysis is provided for informational purposes by SEC.co and reflects information available as of the publication and modification dates listed. While we strive for accuracy, we make no warranty regarding the completeness or timeliness of the vulnerability details, patch status, or vendor responses. Organizations should verify patch availability and applicability directly with Weblate's official release notes and security advisories. This is not legal or compliance advice. Consult your security and legal teams regarding patch management obligations and timelines specific to your environment and industry. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).