LibreTranslate - IP Spoofing via X-Forwarded-For Header | Advisories

Advisories

LibreTranslate - IP Spoofing via X-Forwarded-For Header

severity: medium
date: 6/29/2026
Affecting: LibreTranslate <= 1.9.7, fixed in commit 397fd22
CVE: CVE-2026-57942
CWE: CWE-348 Use of Less Trusted Source
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References: Researcher Disclosure
Pull Request
Patch Commit
Credit: George Chen
Description: LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo