The screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename.
Patches
https://github.com/WeblateOrg/weblate/pull/17516
References
Thanks to Lukas May and Michael Leu for reporting this.