Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Published: 2026-03-19
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution and data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a permissive CORS policy that reflects any origin while setting the Allow‑Credentials header to true. This configuration permits any loaded webpage to issue authenticated requests on behalf of a logged‑in user. An attacker can consequently read sensitive data such as API keys and account credentials or trigger the built‑in External Programs manager to execute code on the host machine. The flaw aligns with the CWE‑942 weakness in handling complex request headers.

Affected Systems

The issue targets the autobrr:qui web interface used to manage qBittorrent instances. Versions 1.14.1 and all previous releases are affected. Deployments running these images in Docker containers or other environments that expose the service through a hostname other than localhost are at risk. Users operating the interface from internal networks but still reachable externally are also susceptible if no additional network restrictions are in place.

Risk and Exploitability

The vulnerability has a CVSS score of 9, indicating critical severity. An EPSS rating below 1 % suggests that exploit attempts are uncommon, and the vulnerability has not appeared in the KEV listing. Exploitation depends on social engineering: an attacker must persuade an authenticated user to visit an attacker‑controlled webpage. When successful, an adversary can exfiltrate credentials, capture API keys, or elevate privileges through the External Programs manager, representing a high impact if the target system is exposed. The risk remains significant for installations that are publicly reachable or have no isolation measures.

Generated by OpenCVE AI on April 14, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade qui to a version newer than 1.14.1 as soon as an update is available.
  • If patching is delayed, limit the web interface to localhost or an isolated internal network and avoid exposing it to external hosts.
  • Configure a reverse proxy to reject or block requests that contain Cross‑Origin headers for untrusted origins.
  • Remove or disable the Allow‑Credentials header in any exposed deployment when the policy cannot be fixed.
  • Monitor application logs for unexpected cross‑origin requests or API activity originating from unfamiliar IP addresses or user agents.
  • Apply web application firewall rules to filter or block cross‑origin requests that appear malicious when the service is exposed to the internet.

Generated by OpenCVE AI on April 14, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8vw-ph9r-xpch qui CORS Misconfiguration: Arbitrary Origins Trusted
History

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getqui
Getqui qui
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:getqui:qui:*:*:*:*:*:docker:*:*
Vendors & Products Getqui
Getqui qui
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Autobrr
Autobrr qui
Vendors & Products Autobrr
Autobrr qui

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Title qui CORS Misconfiguration: Arbitrary Origins Trusted
Weaknesses CWE-942
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Autobrr Qui
Getqui Qui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:46:41.711Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30924

cve-icon Vulnrichment

Updated: 2026-03-20T19:46:29.038Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:09.943

Modified: 2026-04-23T18:34:20.710

Link: CVE-2026-30924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses