Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: Disabled for Local Addresses) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to Enabled, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.
AnalysisAI
Sonarr, a PVR application for Usenet and BitTorrent users, contains an authentication bypass vulnerability affecting installations configured with authentication disabled for local addresses. Attackers can exploit this flaw to gain unauthorized access to Sonarr instances when deployed without a properly configured reverse proxy that filters malicious headers. The vulnerability affects versions prior to 4.0.16.2942 (nightly/develop) and 4.0.16.2944 (stable/main), with patches now available from the vendor.
Technical ContextAI
The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing), which occurs when an application accepts and trusts certain headers or network attributes to determine authentication requirements without proper validation. Sonarr's 'Disabled for Local Addresses' authentication mode relies on request metadata to determine if a connection originates locally, but fails to properly validate or sanitize headers that indicate request origin. An attacker can manipulate these headers (such as X-Forwarded-For or similar proxying headers) to appear as a local connection, bypassing authentication controls entirely. The affected product is identified via CPE as cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*, encompassing all vulnerable versions of the Sonarr application.
RemediationAI
Users should upgrade to Sonarr version 4.0.16.2942 or later for nightly/develop installations (available at https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942) or version 4.0.16.2944 or later for stable/main releases (available at https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944). If immediate patching is not feasible, administrators should change the Authentication Required setting from 'Disabled for Local Addresses' to 'Enabled' to enforce authentication for all connections. Alternative mitigations include deploying Sonarr behind a properly configured reverse proxy that sanitizes forwarding headers, avoiding direct internet exposure of Sonarr instances, and restricting access through VPN solutions such as Tailscale or similar zero-trust network access tools. Detailed remediation guidance is provided in the security advisory at https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15990