Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by seerr-team
CVE-2026-27792 (GCVE-0-2026-27792)
Vulnerability from nvd – Published: 2026-02-27 19:33 – Updated: 2026-02-27 20:19
VLAI
Title
Seerr missing authentication on pushSubscription endpoints
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/946bde… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
>= 2.7.0, < 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:16:46.521972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:19:07.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:33:18.469Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f"
},
{
"name": "https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-gx3h-3jg5-q65f",
"discovery": "UNKNOWN"
},
"title": "Seerr missing authentication on pushSubscription endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27792",
"datePublished": "2026-02-27T19:33:18.469Z",
"dateReserved": "2026-02-24T02:31:33.265Z",
"dateUpdated": "2026-02-27T20:19:07.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27793 (GCVE-0-2026-27793)
Vulnerability from nvd – Published: 2026-02-27 19:38 – Updated: 2026-03-02 12:51
VLAI
Title
Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/4f089b… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
< 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T12:50:56.548791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T12:51:21.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:38:49.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp"
},
{
"name": "https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-f7xw-jcqr-57hp",
"discovery": "UNKNOWN"
},
"title": "Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27793",
"datePublished": "2026-02-27T19:38:49.589Z",
"dateReserved": "2026-02-24T02:31:33.265Z",
"dateUpdated": "2026-03-02T12:51:21.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27707 (GCVE-0-2026-27707)
Vulnerability from nvd – Published: 2026-02-27 19:29 – Updated: 2026-02-27 20:22
VLAI
Title
Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/4ae206… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
>= 2.0.0, < 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:22:11.831766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:22:24.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `\"\"` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:32:07.180Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7"
},
{
"name": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-rc4w-7m3r-c2f7",
"discovery": "UNKNOWN"
},
"title": "Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27707",
"datePublished": "2026-02-27T19:29:18.768Z",
"dateReserved": "2026-02-23T17:56:51.203Z",
"dateUpdated": "2026-02-27T20:22:24.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27793 (GCVE-0-2026-27793)
Vulnerability from cvelistv5 – Published: 2026-02-27 19:38 – Updated: 2026-03-02 12:51
VLAI
Title
Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/4f089b… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
< 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T12:50:56.548791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T12:51:21.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:38:49.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp"
},
{
"name": "https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-f7xw-jcqr-57hp",
"discovery": "UNKNOWN"
},
"title": "Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27793",
"datePublished": "2026-02-27T19:38:49.589Z",
"dateReserved": "2026-02-24T02:31:33.265Z",
"dateUpdated": "2026-03-02T12:51:21.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27792 (GCVE-0-2026-27792)
Vulnerability from cvelistv5 – Published: 2026-02-27 19:33 – Updated: 2026-02-27 20:19
VLAI
Title
Seerr missing authentication on pushSubscription endpoints
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/946bde… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
>= 2.7.0, < 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:16:46.521972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:19:07.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:33:18.469Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f"
},
{
"name": "https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-gx3h-3jg5-q65f",
"discovery": "UNKNOWN"
},
"title": "Seerr missing authentication on pushSubscription endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27792",
"datePublished": "2026-02-27T19:33:18.469Z",
"dateReserved": "2026-02-24T02:31:33.265Z",
"dateUpdated": "2026-02-27T20:19:07.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27707 (GCVE-0-2026-27707)
Vulnerability from cvelistv5 – Published: 2026-02-27 19:29 – Updated: 2026-02-27 20:22
VLAI
Title
Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Summary
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/seerr-team/seerr/security/advi… | x_refsource_CONFIRM |
| https://github.com/seerr-team/seerr/commit/4ae206… | x_refsource_MISC |
| https://github.com/seerr-team/seerr/releases/tag/v3.1.0 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| seerr-team | seerr |
Affected:
>= 2.0.0, < 3.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:22:11.831766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:22:24.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "seerr",
"vendor": "seerr-team",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `\"\"` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T19:32:07.180Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7"
},
{
"name": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e"
},
{
"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"
}
],
"source": {
"advisory": "GHSA-rc4w-7m3r-c2f7",
"discovery": "UNKNOWN"
},
"title": "Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27707",
"datePublished": "2026-02-27T19:29:18.768Z",
"dateReserved": "2026-02-23T17:56:51.203Z",
"dateUpdated": "2026-02-27T20:22:24.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}