CVE-2026-30976 (GCVE-0-2026-30976)
Vulnerability from cvelistv5 – Published: 2026-03-25 21:11 – Updated: 2026-03-26 17:53
VLAI?
Title
Sonarr Path Traversal vulnerability
Summary
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
Severity ?
8.6 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:53:23.067175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:53:31.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sonarr",
"vendor": "Sonarr",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0, \u003c 4.0.17.2950"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It\u0027s possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T21:11:20.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f"
},
{
"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950"
},
{
"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952"
}
],
"source": {
"advisory": "GHSA-h393-v5hm-6h8f",
"discovery": "UNKNOWN"
},
"title": "Sonarr Path Traversal vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30976",
"datePublished": "2026-03-25T21:11:20.078Z",
"dateReserved": "2026-03-07T17:53:48.816Z",
"dateUpdated": "2026-03-26T17:53:31.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-30976",
"date": "2026-05-09",
"epss": "0.00021",
"percentile": "0.06113"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30976\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-25T21:16:41.623\",\"lastModified\":\"2026-04-09T19:44:38.000\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It\u0027s possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.\"},{\"lang\":\"es\",\"value\":\"Sonarr es un PVR para usuarios de Usenet y BitTorrent. En versiones de la rama 4.x anteriores a la 4.0.17.2950, un atacante remoto no autenticado puede leer potencialmente cualquier archivo legible por el proceso de Sonarr. Estos incluyen archivos de configuraci\u00f3n de la aplicaci\u00f3n (que contienen claves de API y credenciales de base de datos), archivos del sistema de Windows y cualquier archivo accesible por el usuario en la misma unidad. Este problema solo afecta a los sistemas Windows; macOS y Linux no se ven afectados. Los archivos devueltos desde la API no estaban limitados al directorio en disco desde el que se supon\u00eda que deb\u00edan servirse. Este problema ha sido parcheado en la versi\u00f3n 4.0.17.2950 en la rama nightly/develop o en la 4.0.17.2952 para las versiones stable/main. Es posible solucionar el problema alojando Sonarr \u00fanicamente en una red interna segura y accedi\u00e9ndolo a trav\u00e9s de VPN, Tailscale o una soluci\u00f3n similar fuera de esa red.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0.741\",\"versionEndExcluding\":\"4.0.17.2950\",\"matchCriteriaId\":\"15A94C78-5072-4BB2-9E51-622ECBB2650B\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30976\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T17:53:23.067175Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T17:53:27.423Z\"}}], \"cna\": {\"title\": \"Sonarr Path Traversal vulnerability\", \"source\": {\"advisory\": \"GHSA-h393-v5hm-6h8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Sonarr\", \"product\": \"Sonarr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0, \u003c 4.0.17.2950\"}]}], \"references\": [{\"url\": \"https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f\", \"name\": \"https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950\", \"name\": \"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952\", \"name\": \"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It\u0027s possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T21:11:20.078Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30976\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T17:53:31.620Z\", \"dateReserved\": \"2026-03-07T17:53:48.816Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T21:11:20.078Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…