Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Published: 2026-02-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted account creation and unauthorized media requests
Action: Immediate Patch
AI Analysis

Impact

Seerr's authentication guard logic flaw in POST /api/v1/auth/jellyfin permits an attacker who can communicate with the server to create a new user account without prior authentication. The attacker then obtains a valid session cookie and immediately gains access to the application with default permissions, which includes the ability to submit media requests to backend tools such as Radarr and Sonarr. This flaw effectively enables an unauthenticated user to create privileged accounts and perform operations that normally require legitimate user credentials.

Affected Systems

Vulnerable Seerr deployments are those running version 2.0.0 up to, but not including, 3.1.0 on a Plex-configured environment. The conditions that enable exploitation are: the mediaServerType setting is PLEX, the jellyfin.ip configuration remains empty (indicating that Jellyfin has never been set up), and the newPlexLogin flag is left at its default true value. Deployments configured for Jellyfin or Emby are not affected, and Seerr version 3.1.0 onward contains the patch that resolves the issue.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity vulnerability, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability has not been listed in CISA's KEV catalog. An affected system that is accessible from the public internet could be abused by an attacker who sends a crafted request to the /api/v1/auth/jellyfin endpoint using a malicious Jellyfin server address. The attacker does not need any prior authentication and only requires network reachability to the Seerr instance. Based on the description, it is inferred that the attack vector is remote network access, and that the attacker can exploit the flaw without additional privileges.

Generated by OpenCVE AI on April 16, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Seerr version 3.1.0 or newer to apply the fix
  • As a temporary measure, modify the Seerr configuration by setting settings.jellyfin.ip to a non-empty value or disabling settings.main.newPlexLogin so that external Jellyfin servers cannot be used for authentication
  • Restrict network access to the Seerr instance or use firewall rules to prevent unauthenticated traffic from the public internet

Generated by OpenCVE AI on April 16, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Seerr
Seerr seerr
CPEs cpe:2.3:a:seerr:seerr:*:*:*:*:*:*:*:*
Vendors & Products Seerr
Seerr seerr

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Seerr-team
Seerr-team seerr
Vendors & Products Seerr-team
Seerr-team seerr

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Title Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Weaknesses CWE-288
CWE-807
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Seerr Seerr
Seerr-team Seerr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:22:24.091Z

Reserved: 2026-02-23T17:56:51.203Z

Link: CVE-2026-27707

cve-icon Vulnrichment

Updated: 2026-02-27T20:22:18.084Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:38.760

Modified: 2026-03-04T16:54:47.437

Link: CVE-2026-27707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses