Skip to main content

Sonarr EUVDEUVD-2026-15990

| CVE-2026-30975 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-03-25 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.0.16.2942
EUVD ID Assigned
Mar 25, 2026 - 21:17 euvd
EUVD-2026-15990
Analysis Generated
Mar 25, 2026 - 21:17 vuln.today
CVE Published
Mar 25, 2026 - 21:08 nvd
HIGH 8.1

DescriptionGitHub Advisory

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: Disabled for Local Addresses) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to Enabled, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

AnalysisAI

Sonarr, a PVR application for Usenet and BitTorrent users, contains an authentication bypass vulnerability affecting installations configured with authentication disabled for local addresses. Attackers can exploit this flaw to gain unauthorized access to Sonarr instances when deployed without a properly configured reverse proxy that filters malicious headers. The vulnerability affects versions prior to 4.0.16.2942 (nightly/develop) and 4.0.16.2944 (stable/main), with patches now available from the vendor.

Technical ContextAI

The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing), which occurs when an application accepts and trusts certain headers or network attributes to determine authentication requirements without proper validation. Sonarr's 'Disabled for Local Addresses' authentication mode relies on request metadata to determine if a connection originates locally, but fails to properly validate or sanitize headers that indicate request origin. An attacker can manipulate these headers (such as X-Forwarded-For or similar proxying headers) to appear as a local connection, bypassing authentication controls entirely. The affected product is identified via CPE as cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*, encompassing all vulnerable versions of the Sonarr application.

RemediationAI

Users should upgrade to Sonarr version 4.0.16.2942 or later for nightly/develop installations (available at https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942) or version 4.0.16.2944 or later for stable/main releases (available at https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944). If immediate patching is not feasible, administrators should change the Authentication Required setting from 'Disabled for Local Addresses' to 'Enabled' to enforce authentication for all connections. Alternative mitigations include deploying Sonarr behind a properly configured reverse proxy that sanitizes forwarding headers, avoiding direct internet exposure of Sonarr instances, and restricting access through VPN solutions such as Tailscale or similar zero-trust network access tools. Detailed remediation guidance is provided in the security advisory at https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r.

Share

EUVD-2026-15990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy