It was possible to accept an invitation opened by a different Weblate user.
Users should avoid leaving Weblate sessions with an unattended opened invitation.
Thanks to Nahid0x for responsibly disclosing this vulnerability to Weblate.
"https://github.com/pypa/advisory-database/blob/main/vulns/weblate/PYSEC-2026-2042.yaml"