Skip to main content

Cleanuparr EUVDEUVD-2026-12144

| CVE-2026-32702 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-03-13 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 22:01 euvd
EUVD-2026-12144
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:09 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.

AnalysisAI

Cleanuparr versions 2.7.0 through 2.8.0 contain a timing-based username enumeration vulnerability in the /api/auth/login endpoint that allows unauthenticated remote attackers to discover valid usernames by analyzing response time differences. The flaw stems from password verification logic that performs expensive cryptographic hashing only after validating username existence, creating a measurable timing side-channel. This vulnerability is fixed in version 2.8.1 and presents a moderate information disclosure risk with a CVSS score of 6.9, though exploitation requires no special privileges or user interaction.

Technical ContextAI

Cleanuparr is an automation tool for managing unwanted or blocked files across media server applications including Sonarr, Radarr, and download clients like qBittorrent. The vulnerability relates to CWE-208 (Observable Timing Discrepancy), a class of side-channel attacks where security-sensitive operations execute at different speeds based on input validity. The root cause is a logic flaw in the authentication endpoint's VerifyPassword function where username validation short-circuits occur before the time-intensive password hashing operation. In secure implementations, password hashing should execute regardless of username validity to prevent attackers from distinguishing between invalid usernames and invalid passwords. The timing differential between these two code paths—typically milliseconds—is sufficient for remote attackers to statistically determine which usernames exist in the system when making repeated requests over a network.

RemediationAI

Upgrade Cleanuparr to version 2.8.1 or later immediately to patch the timing-based username enumeration vulnerability. Users unable to upgrade immediately should implement compensating controls such as restricting network access to the Cleanuparr API endpoint to trusted IP addresses only, deploying rate limiting on the /api/auth/login endpoint to reduce the feasibility of timing analysis attacks, and enabling HTTPS with strong cipher suites to increase attack complexity. Additionally, consider implementing intrusion detection signatures to monitor for patterns consistent with username enumeration attempts (multiple failed login attempts with varying response times). Monitor authentication logs for suspicious patterns and consider implementing an account lockout policy after repeated failed login attempts to further limit enumeration feasibility.

Share

EUVD-2026-12144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy