CVE-2026-23535: Weblate wlc Enables Arbitrary File Write Through Path Traversal

Aegiron 10 mins0
  • CVE: CVE-2026-23535
  • Product: Weblate CLI tool wlc
  • Affected Versions: wlc < 1.17.2
  • CVSS v3.1 Score:8.1 (High severity)
    • Network attack vector
    • High impact on confidentiality, integrity, availability
    • Low privileges required
    • User interaction required
  • Exploitability: Feasible but requires user action
  • Exploit Availability: No known public proof-of-concept at time of writing
  • Mitigation: Upgrade to patched release (link below)
  • Weakness: Path traversal / arbitrary file write

What this vulnerability actually is

wlc is a command-line client used to talk to Weblate servers and download translations. The specific problem in CVE-2026-23535 happens in the multi-translation download feature:

When you ask the client to download many translation files, it contacts the Weblate server, gets metadata about files, and writes them to disk. The vulnerability exists because the client did not properly clean or restrict the file paths it received from the server.

A malicious or compromised server could return file names or directory names that include ../ sequences or absolute paths. Instead of confining downloaded files inside the intended folder, the client would follow those sequences and write files anywhere on disk where the current user has permissions.

This is known as path traversal: you can break out of the safe directory and place files in places you shouldn’t. Because wlc writes files on behalf of the user, and may be run in build environments, CI systems, or developer machines, this can be abused to:

  • overwrite system or app config files
  • drop malicious scripts
  • tamper with build artifacts
  • insert data that later gets executed
  • break availability of software

This scenario requires:

  1. a malicious or controlled Weblate server (or one you don’t trust), and
  2. someone runs the wlc download command against it.

How it could be exploited (educational)

To exploit this, someone who controls a Weblate server (or tampers with an existing one) would craft the response to the multi-translation API call so that the JSON contains dangerous paths, like:

../../../../etc/cron.d/malicious

or

/root/.ssh/authorized_keys

When wlc processes that response, it would create “translations” with those paths and write them — escaping the intended directory. If the victim has write permission there, this results in arbitrary file creation outside the safe folder.

Remember: this is not remote code execution by default — it depends on what you do with the file that gets written.

Detection / hunting basics

Detecting exploitation or attempts to abuse this vulnerability comes down to watching for indicators of unexpected file writes after someone runs wlc.

1. Endpoint and process logging

  • Look for wlc processes starting with abnormal arguments or pointing to unknown servers.
    • On *nix: auditd or system logs showing wlc download calls with external URLs.
    • On Windows: Sysmon Event ID 1 process creation events showing wlc.

2. Unexpected filesystem writes

Monitor for files appearing in places that make no sense for a translation download:

  • Changes to system config dirs
  • Files in /etc, /usr/local/bin, service unit directories
  • New cron jobs, startup scripts, SSH keys

Example detection logic:

  • After a wlc run, if there’s any file created outside the normal translation target directory, treat it as suspicious.

3. Network traffic / IDS

If you have network logging or IDS/IPS:

  • Look for responses from Weblate servers where the JSON payload includes ../ or absolute paths.
  • Set alerts for suspicious sequences in responses coming from Weblate REST API endpoints.

This type of detection is only useful if you are splitting traffic between trusted and untrusted endpoints.

Example detection rules

Sigma (process + suspicious file writes)

title: wlc CLI followed by anomalous file creations
logsource:
  product: windows
  service: security
detection:
  selection_process:
    EventID: 1
    Image|endswith: '\wlc.exe'
  selection_file:
    EventID: 11
    TargetFilename|contains: ['..\\', '/../', ':\\']
  condition: selection_process and selection_file within 1m
level: high

This watches for a wlc execution followed quickly by files written with traversals.

Suricata/IDS (HTTP response inspection)

alert http any any -> any any (msg:"Suspicious path traversal token in Weblate API response"; flow:established,to_client; content:"../"; http_response; sid:1001001; rev:1;)

Only enable this if you proxy or inspect traffic to Weblate servers.

EDR / Host file monitoring

  • Create rules to alert whenever a new file appears in system critical folders (like /etc, /usr/local/bin, startup dirs) right after an authenticated tool run.
  • Alert on file creation in protected locations when the parent process is wlc.

How a PoC may look (educational)

There’s no official PoC script published yet. A typical PoC for a path traversal in a client would mimic a server API that responds with crafted JSON pointing to bad paths. The attacker would:

  1. Stand up a stub REST server
  2. Return translation list with crafted paths
  3. Have the victim run wlc download against that server
  4. Observe files written outside intended folder

Such PoCs are often simple and based on misuse of the API format.

Indicators of compromise (IoCs)

Watch for:

  • New files in system directories with timestamps matching a wlc run
  • Cron jobs, SSH keys, or service units created shortly after wlc commands
  • Proxy logs showing wlc talking to servers that return odd path strings
  • Files with traversal characters in names

Defensive steps beyond patching

  1. Upgrade to wlc ≥ 1.17.2. This removes the vulnerable path handling code.
    🔗 Official fixed release: https://github.com/WeblateOrg/wlc/releases/tag/1.17.2
  2. Restrict wlc usage to trusted servers. Don’t run it against unknown or publicly uncontrolled Weblate instances.
  3. Run wlc in sandboxed/least-privileged context. If possible, run the CLI in a container or under a user with only minimal rights so arbitrary writes have limited impact.
  4. File integrity monitoring (FIM). Tools like OSSEC, Tripwire, or built-in OS audit can help flag unexpected changes.
  5. Educate developers/CI owners about avoiding untrusted endpoints.

Final Takeaway

CVE-2026-23535 is a high-severity path traversal flaw in the Weblate command-line client. It allows a malicious server to trick the client into writing files anywhere the user has permission. There’s no widely shared exploit yet, but the impact is significant enough to treat it seriously. The right action is to update the client, monitor for unusual file writes, and tighten network and usage policies around translation tools.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.