CVE-2026-27793
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| seerr-team | seerr | < 3.1.0 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp
- https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303
- https://github.com/seerr-team/seerr/releases/tag/v3.1.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.