Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
Published: 2026-02-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access and modification of user data via missing authentication on push subscription endpoints
Action: Patch
AI Analysis

Impact

A missing authorization check allows an authenticated user to interact with push subscription APIs that belong to other users. The vulnerability lies in the omission of the isOwnProfileOrAdmin() middleware on several push subscription routes, leading to potential alteration or retrieval of data that should be restricted. This flaw directly impacts the confidentiality and integrity of user data and is classified as CWE‑862: Missing Authorization.

Affected Systems

The flaw affects installations of the Seerr media request manager from version 2.7.0 up through, but not including, version 3.1.0. The affected vendor is seerr-team, product Seerr. Users running any release in this range are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is an authenticated HTTP request to the push subscription endpoints; the attacker must first authenticate to the application, then target the non‑secured API routes to read or modify another user's subscription data. No active exploits have been reported, and successful exploitation would require the attacker to have valid credentials on the target instance.

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seerr to version 3.1.0 or later, which includes the missing authorization middleware on the push subscription endpoints
  • If upgrading is not immediately possible, remove or restrict access to the push subscription endpoints via reverse proxy or firewall rules
  • Continuously monitor API usage logs for unusual push subscription activity to detect potential abuse

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Seerr
Seerr seerr
CPEs cpe:2.3:a:seerr:seerr:*:*:*:*:*:*:*:*
Vendors & Products Seerr
Seerr seerr

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Seerr-team
Seerr-team seerr
Vendors & Products Seerr-team
Seerr-team seerr

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
Title Seerr missing authentication on pushSubscription endpoints
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Seerr Seerr
Seerr-team Seerr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:19:07.348Z

Reserved: 2026-02-24T02:31:33.265Z

Link: CVE-2026-27792

cve-icon Vulnrichment

Updated: 2026-02-27T20:18:56.259Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:39.403

Modified: 2026-03-04T16:49:30.750

Link: CVE-2026-27792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses