📄 Description (English)
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
🤖 AI Executive Summary
Weblate versions prior to 5.15.2 contain an improper access control vulnerability allowing unauthenticated users to access screenshot images by guessing filenames. This affects organizations using Weblate for localization and translation management, potentially exposing sensitive project documentation and internal communications. The vulnerability requires no authentication and poses a moderate-to-high risk for organizations handling confidential localization content.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 3, 2026 19:26
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Weblate for localization of government services, banking applications, and telecommunications platforms are at risk. Most vulnerable sectors include: Government (NCA, CITC) for e-government portal localization; Banking (SAMA-regulated institutions) for application interfaces; Telecommunications (STC, Mobily) for customer-facing content; and Healthcare organizations managing multilingual medical documentation. The exposure of screenshot metadata could reveal internal project structures, timelines, and sensitive business processes.
🏢 Affected Saudi Sectors
Government
Banking
Telecommunications
Healthcare
Software Development
E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE ACTIONS:
- Identify all Weblate instances in your environment and verify current version
- Restrict network access to Weblate servers using firewall rules (allow only authenticated users)
- Review access logs for suspicious screenshot access attempts
2. PATCHING:
- Upgrade all Weblate installations to version 5.15.2 or later immediately
- Test patches in non-production environments first
- Schedule maintenance windows for production upgrades
3. COMPENSATING CONTROLS (if immediate patching not possible):
- Implement web application firewall (WAF) rules to block direct screenshot access patterns
- Configure HTTP server (nginx/Apache) to require authentication for /screenshots/ directory
- Implement rate limiting on screenshot requests
- Use reverse proxy authentication layer
4. DETECTION:
- Monitor for HTTP 200 responses to screenshot requests from unauthenticated sources
- Alert on sequential filename enumeration attempts (e.g., screenshot_1.png, screenshot_2.png)
- Log all access to /screenshots/ directory with source IP and user agent
- Search logs for patterns: GET.*screenshot.*\.(png|jpg|jpeg|gif)
🔧 خطوات المعالجة (العربية)
1. الإجراءات الفورية:
- تحديد جميع مثيلات Weblate في بيئتك والتحقق من الإصدار الحالي
- تقييد الوصول إلى شبكة خوادم Weblate باستخدام قواعد جدار الحماية (السماح فقط للمستخدمين المصرح لهم)
- مراجعة سجلات الوصول لمحاولات الوصول المريبة إلى لقطات الشاشة
2. التصحيح:
- ترقية جميع تثبيتات Weblate إلى الإصدار 5.15.2 أو أحدث فوراً
- اختبار التصحيحات في بيئات غير الإنتاج أولاً
- جدولة نوافذ الصيانة لترقيات الإنتاج
3. الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر أنماط الوصول المباشر إلى لقطات الشاشة
- تكوين خادم HTTP (nginx/Apache) لمطالبة المصادقة لدليل /screenshots/
- تنفيذ تحديد معدل الطلبات على طلبات لقطات الشاشة
- استخدام طبقة مصادقة وكيل عكسي
4. الكشف:
- مراقبة استجابات HTTP 200 لطلبات لقطات الشاشة من مصادر غير مصرح لها
- تنبيه على محاولات تعداد أسماء الملفات المتسلسلة
- تسجيل جميع الوصول إلى دليل /screenshots/ مع عنوان IP ووكيل المستخدم
- البحث في السجلات عن الأنماط: GET.*screenshot.*\.(png|jpg|jpeg|gif)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.8.2.1 - Classification of information
A.8.2.3 - Handling of assets
🔵 SAMA CSF
ID.AC-1 - Access Control Policy and Procedures
ID.AC-2 - Physical and Logical Access Controls
PR.AC-1 - Identities and Credentials Management
PR.AC-3 - Access Enforcement
DE.CM-1 - The organization monitors systems and information
🟡 ISO 27001:2022
6.2 - Determine access rights
8.2.1 - User registration and access rights
8.2.2 - User access provisioning
8.2.3 - Management of privileged access rights
8.3.1 - User access review
🔗 References & Sources 3
🔗
https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47
security-advisories@github.com
Patch
🔗
https://github.com/WeblateOrg/weblate/pull/17516
security-advisories@github.com
Issue Tracking
🔗
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385
security-advisories@github.com
Patch
Vendor Advisory
📦 Affected Products / CPE 1 entries
weblate:weblate