Main Vulnerability Database Vulnerabilities #VU133248

Authorization bypass through user-controlled key in Tolgee - #VU133248

Published: June 2, 2026

Vulnerability identifier: #VU133248

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Tolgee

Affected software:
Tolgee

Detailed vulnerability description

The vulnerability allows a remote user to modify translation suggestions in another project or disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the translation suggestion handling endpoints when processing suggestion operations with a foreign suggestion identifier after validating only the local key context. A remote user can send a specially crafted request to modify translation suggestions in another project or disclose sensitive information.

The accept operation can copy the victim suggestion text into the attacker's project.

Remediation

Install security update from vendor's website.

Sources

https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-535f-x3hw-p4p8

Authorization bypass through user-controlled key in Tolgee - #VU133248

Detailed vulnerability description

Remediation

Sources

Please verify you're human