CVE-2026-44183 - Vulnerability Details

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Published: 2026-05-12

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the TrustedNetworkAuthenticationHandler.ResolveClientIp method, which parses only the leftmost entry of the X-Forwarded-For header as the client IP. Because this header is append-only, an attacker can supply a spoofed local IP, causing the handler to treat the request as originating from a trusted network and automatically log the attacker into the Cleanuparr administrator account. This flaw enables a remote, unauthenticated attacker to acquire full administrative privileges when reverse‑proxy mode is enabled.

Affected Systems

This issue affects all versions of Cleanuparr up to, but not including, 2.9.10. No explicit version specifications are listed beyond this patch boundary. The fix is provided in the 2.9.10 release.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating a critical impact. No EPSS value is available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the Cleanuparr instance to run with reverse‑proxy support enabled and does not require any client authentication; by sending a crafted X-Forwarded-For header, the attacker can immediately log in as administrator over the network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cleanuparr

affected

Version	Status	Constraints
`< 2.9.10`	affected	—

No data.

Vendor Product Confidence Versions

Cleanuparr

100%

Version	Status	Scheme	Platform
`[0,2.9.10)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cleanuparr to version 2.9.10 or later to apply the official fix.
If an upgrade cannot be performed immediately, disable reverse‑proxy mode or restrict trusted-proxy settings so that X-Forwarded-For is not accepted from untrusted clients.
Ensure the admin interface requires proper authentication, employ HTTPS, and consider limiting access behind a VPN or firewall for additional protection.

Generated by OpenCVE AI on May 12, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-8q44-v65j-jc3q

History

Tue, 12 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cleanuparr Cleanuparr cleanuparr
Vendors & Products		Cleanuparr Cleanuparr cleanuparr

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.
Title		Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled
Weaknesses		CWE-290 CWE-348
References		https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-8q44-v65j-jc3q
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Cleanuparr Cleanuparr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T17:32:52.143Z

Updated: 2026-05-12T17:32:52.143Z

Reserved: 2026-05-05T14:39:34.924Z

Link: CVE-2026-44183

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:17:29.427

Modified: 2026-05-12T18:17:29.427

Link: CVE-2026-44183

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object