Description
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

Sonarr versions older than 4.0.16.2942 allow an unauthenticated attacker to bypass the login mechanism when the application is configured to disable authentication for local addresses and no reverse proxy is in place. The flaw permits the attacker to access the web interface as a fully authenticated user, enabling the use of all administrative functions without providing valid credentials.

Affected Systems

The affected product is Sonarr, with all releases prior to version 4.0.16.2942 vulnerable. The issue is resolved by upgrading to the nightly build 4.0.16.2942 or to the stable release 4.0.16.2944 and later.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS probability of less than 1 % suggests a low likelihood of exploitation in the field. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over HTTP by sending requests that do not present authenticating credentials to an exposed Sonarr instance that has disabled local‑address authentication; if the service is not directly reachable from the internet, the risk is mitigated but misconfigured reverse proxies could still expose the surface.

Generated by OpenCVE AI on March 30, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sonarr to version 4.0.16.2944 or later (or apply the nightly 4.0.16.2942 build).
  • Enable the Authentication Required setting so that all requests must present credentials.
  • Run Sonarr behind a reverse proxy that controls or forwards authentication headers appropriately.
  • Do not expose Sonarr directly to the internet; use a VPN, Tailscale, or other secure tunnel for access.

Generated by OpenCVE AI on March 30, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sonarr
Sonarr sonarr
Vendors & Products Sonarr
Sonarr sonarr

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.
Title Sonarr Authentication Bypass vulnerability
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Sonarr Sonarr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:23:38.612Z

Reserved: 2026-03-07T17:53:48.816Z

Link: CVE-2026-30975

cve-icon Vulnrichment

Updated: 2026-03-26T15:23:34.236Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:41.453

Modified: 2026-03-30T16:55:47.733

Link: CVE-2026-30975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:53Z

Weaknesses