Description
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.
Published: 2026-05-12
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cleanuparr is a cleanup utility for Sonarr, Radarr, and compatible download clients. The vulnerability occurs because the application’s global CORS policy reflects the "Origin" header and allows credentials, while the API can authenticate requests from trusted IP addresses via a TrustedNetworkAuthenticationHandler when DisableAuthForLocalAddresses is enabled This combination lets any website that an admin or a user on a trusted IP visits read authenticated API responses in a cross‑origin manner, exposing the admin’s permanent API key and other sensitive information.

Affected Systems

All Cleanuparr installations running version 2.9.9 or earlier are affected. The product is maintained by the Cleanuparr team.

Risk and Exploitability

The CVSS score of 8.0 classifies the issue as a high severity flaw with significant confidentiality impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting moderate to low current exploit prevalence. Exploitation requires a victim admin or trusted‑network user to visit a malicious website that can issue cross‑origin requests; the victim’s browser will automatically attach credentials, enabling the attacker to obtain the admin API key. While the attack vector is not purely local, it relies on user interaction with a malicious site, making the exploit plausible but not trivially automatable.

Generated by OpenCVE AI on May 12, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cleanuparr to version 2.9.10 or later where the issue is fixed
  • Reconfigure or disable the global CORS policy so it does not echo the "Origin" header and does not allow credentials for untrusted origins
  • If trusted‑network authentication is required, narrow the allowed IP ranges or disable DisableAuthForLocalAddresses to prevent authentication bypass

Generated by OpenCVE AI on May 12, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Cleanuparr
Cleanuparr cleanuparr
Vendors & Products Cleanuparr
Cleanuparr cleanuparr

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.
Title Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads
Weaknesses CWE-346
CWE-942
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Cleanuparr Cleanuparr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:38:28.447Z

Reserved: 2026-05-05T14:39:34.924Z

Link: CVE-2026-44184

cve-icon Vulnrichment

Updated: 2026-05-12T18:37:43.949Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:29.583

Modified: 2026-05-12T19:16:33.937

Link: CVE-2026-44184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses