CVE-2026-22251 - Vulnerability Details - OpenCVE

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Weblateorg	Wlc

No data.

No data.

References

Link	Providers
https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797
https://github.com/WeblateOrg/wlc/pull/1098
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766

History

Tue, 13 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Weblateorg Weblateorg wlc
Vendors & Products		Weblateorg Weblateorg wlc

Mon, 12 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Title		wlc may leak API keys due to an insecure API key configuration
Weaknesses		CWE-200
References		https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 https://github.com/WeblateOrg/wlc/pull/1098 https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-12T17:55:09.699Z

Updated: 2026-01-12T18:43:53.664Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22251

Vulnrichment

Updated: 2026-01-12T18:43:24.564Z

NVD

Status : Awaiting Analysis

Published: 2026-01-12T18:15:49.457

Modified: 2026-01-13T14:03:18.990

Link: CVE-2026-22251

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22251", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-01-12T17:55:09.699Z", "dateUpdated": "2026-01-12T18:43:53.664Z"}, "containers": {"cna": {"title": "wlc may leak API keys due to an insecure API key configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"}, {"name": "https://github.com/WeblateOrg/wlc/pull/1098", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/pull/1098"}, {"name": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797", "tags": ["x_refsource_MISC"], "url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"version": "< 1.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:55:09.699Z"}, "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."}], "source": {"advisory": "GHSA-9rp8-h4g8-8766", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:43:08.912343Z", "id": "CVE-2026-22251", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:43:53.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22251", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T18:43:08.912343Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:43:24.564Z"}}], "cna": {"title": "wlc may leak API keys due to an insecure API key configuration", "source": {"advisory": "GHSA-9rp8-h4g8-8766", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WeblateOrg", "product": "wlc", "versions": [{"status": "affected", "version": "< 1.17.0"}]}], "references": [{"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766", "name": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WeblateOrg/wlc/pull/1098", "name": "https://github.com/WeblateOrg/wlc/pull/1098", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797", "name": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T17:55:09.699Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22251", "state": "PUBLISHED", "dateUpdated": "2026-01-12T18:43:53.664Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T17:55:09.699Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}