{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30975", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.816Z", "datePublished": "2026-03-25T21:08:15.426Z", "dateUpdated": "2026-03-26T15:23:38.612Z"}, "containers": {"cna": {"title": "Sonarr Authentication Bypass vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944"}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"version": "< 4.0.16.2942", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:08:15.426Z"}, "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}], "source": {"advisory": "GHSA-h5qx-5hjf-7c9r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:23:30.487188Z", "id": "CVE-2026-30975", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:23:38.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Sonarr Authentication Bypass vulnerability", "source": {"advisory": "GHSA-h5qx-5hjf-7c9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"status": "affected", "version": "< 4.0.16.2942"}]}], "references": [{"url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:08:15.426Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:23:30.487188Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T15:23:34.236Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-30975", "state": "PUBLISHED", "dateUpdated": "2026-03-25T21:08:15.426Z", "dateReserved": "2026-03-07T17:53:48.816Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T21:08:15.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}], "id": "CVE-2026-30975", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:41.453", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942"}, {"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944"}, {"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.16.2942)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sonarr", "source": "cna", "vendor": "Sonarr"}, "product": "sonarr", "vendor": "sonarr"}], "analysis": {"en": {"generated_at": "2026-03-25T22:54:47.138189+00:00", "value": {"mitigation_remediation": ["Upgrade Sonarr to version 4.0.16.2942 or later (stable 4.0.16.2944).", "Set the \"Authentication Required\" setting to \"Enabled\" in Sonarr\u2019s configuration.", "Deploy a reverse proxy that enforces authentication headers and blocks unauthenticated requests.", "Ensure Sonarr is not directly exposed to the public internet; access it through a VPN, Tailscale, or a similar secure connection."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All Sonarr releases older than 4.0.16.2942 are vulnerable. The patch was merged into the nightly/develop branch and shipped in the stable release 4.0.16.2944. Systems running any prior minor or patch version must upgrade to at least 4.0.16.2942 (nightly) or 4.0.16.2944 (stable).", "description_and_impact": "Sonarr, a PVR for Usenet and BitTorrent users, suffers an authentication bypass when the \"Authentication Required\" option is set to \"Disabled for Local Addresses\" and no reverse proxy filters the header. The flaw, classified as CWE\u2011290, allows unauthenticated access to the web interface, enabling attackers to read or modify configuration, manage media libraries, and potentially compromise the system. The CVSS Base score of 8.1 reflects this high impact.", "risk_and_exploitability": "Based on the description, it is inferred that an attacker can exploit the flaw by sending a standard HTTP request to the Sonarr web interface, either from the local network or from a remote location if the service is exposed to the internet. The vulnerability requires that authentication is disabled for local addresses; therefore, attackers who can reach the server directly or bypass a misconfigured reverse proxy gain uncontrolled access. The CVSS score of 8.1 indicates a severe risk, and while EPSS data is not available, the issue has not yet been listed in the CISA KEV catalog, suggesting limited public exploitation. Nonetheless, the flaw exposes affected deployments to unauthorized control and potential data exposure if the application is reachable from untrusted networks."}}}}, "created": "2026-03-26T11:31:28.169708+00:00", "updated": "2026-03-26T12:09:31.267565+00:00", "vendors": ["sonarr", "sonarr$PRODUCT$sonarr"]}