Description
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
Published: 2026-03-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Remote File Disclosure
Action: Immediate Patch
AI Analysis

Impact

A path traversal defect in Sonarr 4.x releases before 4.0.17.2950 permits an unauthenticated remote attacker to read any file the Sonarr process can access, including configuration files that hold API keys, database credentials, and system files. The flaw is a classic CWE‑22 vulnerability that results in unauthorized file disclosure, potentially exposing sensitive data and enabling further attacks against the host. The data loss spans confidentiality and may lead to credential compromise.

Affected Systems

The flaw affects the Sonarr application on Windows platforms, specifically versions on the 4.x branch earlier than 4.0.17.2950. macOS and Linux deployments are not affected. The issue was patched in the nightly build 4.0.17.2950 and in the stable release 4.0.17.2952, and any later update includes a fix.

Risk and Exploitability

The severity is high, reflected by a CVSS score of 8.6, while the EPSS score indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote unauthenticated request to Sonarr over a network that can reach the instance. An attacker crafts a request to the API that triggers a path traversal, allowing read access to any accessible file. The impact is a loss of confidentiality for configuration and system files.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sonarr to version 4.0.17.2952 or later.
  • Verify that the update has been applied and that the application reports the new version.
  • If an upgrade is not possible immediately, limit access to Sonarr to an internal network and expose it externally only through a secure VPN, Tailscale, or similar.
  • Monitor Sonarr logs for suspicious file read requests and isolate the application via network segmentation.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sonarr
Sonarr sonarr
Vendors & Products Sonarr
Sonarr sonarr

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
Title Sonarr Path Traversal vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Sonarr Sonarr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T17:53:31.620Z

Reserved: 2026-03-07T17:53:48.816Z

Link: CVE-2026-30976

cve-icon Vulnrichment

Updated: 2026-03-26T17:53:27.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T21:16:41.623

Modified: 2026-04-09T19:44:38.000

Link: CVE-2026-30976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:52Z

Weaknesses