wlc may leak API keys due to an insecure API...

5.3 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Description

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

Basic Information

ID CVE-2026-22251

Source GitHub_M

Published Jan 12, 2026 at 17:55

Affected Product

Vendor WeblateOrg

Product wlc

Version < 1.17.0

Affected Versions WeblateOrg wlc < 1.17.0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.",
    "published": "2026-01-12T17:55:09.699Z",
    "modified": "2026-01-12T17:55:09.699Z",
    "type": "cve",
    "title": "wlc may leak API keys due to an insecure API key configuration",
    "source": "GitHub_M",
    "references": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766\nhttps://github.com/WeblateOrg/wlc/pull/1098\nhttps://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797",
    "id": "CVE-2026-22251",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "WeblateOrg wlc < 1.17.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wlc",
    "version": "< 1.17.0",
    "vendor": "WeblateOrg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

wlc may leak API keys due to an insecure API key configuration_CVE-2026-22251