Description
qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Published: 2026-03-19
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a CORS misconfiguration in the qui web interface, where versions 1.14.1 and below reflect arbitrary origins and return Access‑Control‑Allow‑Credentials: true. This allows any external webpage to send authenticated requests to the application using a victim’s session. An attacker can trick a logged‑in user into loading a malicious site, which then silently interacts with the interface, potentially extracting sensitive data such as API keys, account credentials, or executing commands through the built‑in External Programs manager. The weakness is identified as CWE‑942 (Improper Restriction of Operations within a Privilege Range).

Affected Systems

The affected product is the autobrr qui web interface for managing qBittorrent instances. Versions 1.14.1 and earlier are vulnerable; newer releases are not documented as affected.

Risk and Exploitability

The CVSS score is 9.0, indicating a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to be logged into the application via a non‑localhost hostname and to visit an attacker‑controlled webpage, making highly targeted social‑engineering attacks the most likely real‑world scenario. The potential impact includes theft of sensitive data and full system compromise through the External Programs manager.

Generated by OpenCVE AI on March 19, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to the latest version once a fix is released to correct the permissive CORS policy.
  • If a patch is not yet available, restrict access to the qui interface so it is only reachable from trusted hosts or over a VPN, and configure the server to reject wildcard origins, thereby blocking external cross‑origin requests.
  • Disable the External Programs manager in qBittorrent or strictly limit its privileges to reduce the risk of arbitrary code execution.
  • Monitor application logs for unexpected cross‑origin requests and session hijacking attempts to detect potential exploitation.

Generated by OpenCVE AI on March 19, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8vw-ph9r-xpch qui CORS Misconfiguration: Arbitrary Origins Trusted
History

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getqui
Getqui qui
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:getqui:qui:*:*:*:*:*:docker:*:*
Vendors & Products Getqui
Getqui qui
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Autobrr
Autobrr qui
Vendors & Products Autobrr
Autobrr qui

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication.
Title qui CORS Misconfiguration: Arbitrary Origins Trusted
Weaknesses CWE-942
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Autobrr Qui
Getqui Qui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:46:41.711Z

Reserved: 2026-03-07T16:40:05.884Z

Link: CVE-2026-30924

cve-icon Vulnrichment

Updated: 2026-03-20T19:46:29.038Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:09.943

Modified: 2026-04-14T17:48:44.787

Link: CVE-2026-30924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:06:18Z

Weaknesses