Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach (Credentials Exposure)
Action: Patch Now
AI Analysis

Impact

Seerr's GET /api/v1/user/:id endpoint returns a full settings object for any authenticated requester, including Pushover, Pushbullet, and Telegram credentials. This lack of object‑level authorization allows an attacker with any authenticated session to retrieve third‑party API keys that belong to other users, potentially enabling them to send messages on behalf of those users or compromise connected services. The flaw is an authorization bypass (CWE‑639). The impact is a confidentiality breach that exposes sensitive credentials. When combined with the unrelated unauthenticated account‑creation flaw (CVE‑2026‑27707), the two become a zero‑privilege chain that can exfiltrate all user credentials, even those of administrators.

Affected Systems

The vulnerability affects the open‑source media request manager Seerr, version 3.0.x and earlier. Users running 3.0.x or prior are exposed until they upgrade to the fixed 3.1.0 release. Seerr integrates with media servers such as Jellyfin, Plex, and Emby, but the flaw resides in Seerr itself.

Risk and Exploitability

The reported CVSS score is 6.5, indicating moderate severity, and the EPSS score is less than 1 %, meaning the exploitation probability is currently low. The flaw requires only an authenticated session, and attackers do not need elevated privileges to trigger it, so the risk is moderate to high for organizations that allow many users to log in. The vulnerability is not listed in the CISA KEV catalog, so it is not known to be actively exploited in the wild.

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Seerr to version 3.1.0 or later; the release contains the fix for this and the related account‑creation issue.
  • If an immediate upgrade is not feasible, restrict the GET /api/v1/user/:id endpoint so that only privileged accounts can invoke it, or filter out Pushover, Pushbullet, and Telegram fields from the response.
  • Disable or secure the unauthenticated account‑creation feature until its fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Seerr
Seerr seerr
CPEs cpe:2.3:a:seerr:seerr:*:*:*:*:*:*:*:*
Vendors & Products Seerr
Seerr seerr

Mon, 02 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Seerr-team
Seerr-team seerr
Vendors & Products Seerr-team
Seerr-team seerr

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
Title Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Seerr Seerr
Seerr-team Seerr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T12:51:21.125Z

Reserved: 2026-02-24T02:31:33.265Z

Link: CVE-2026-27793

cve-icon Vulnrichment

Updated: 2026-03-02T12:51:14.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:39.587

Modified: 2026-03-04T16:47:37.490

Link: CVE-2026-27793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key