{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27707", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.203Z", "datePublished": "2026-02-27T19:29:18.768Z", "dateUpdated": "2026-02-27T20:22:24.091Z"}, "containers": {"cna": {"title": "Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7"}, {"name": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e"}, {"name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"}], "affected": [{"vendor": "seerr-team", "product": "seerr", "versions": [{"version": ">= 2.0.0, < 3.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T19:32:07.180Z"}, "descriptions": [{"lang": "en", "value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `\"\"` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue."}], "source": {"advisory": "GHSA-rc4w-7m3r-c2f7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:22:11.831766Z", "id": "CVE-2026-27707", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:22:24.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27707", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:22:11.831766Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:22:18.084Z"}}], "cna": {"title": "Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint", "source": {"advisory": "GHSA-rc4w-7m3r-c2f7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "seerr-team", "product": "seerr", "versions": [{"status": "affected", "version": ">= 2.0.0, < 3.1.0"}]}], "references": [{"url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7", "name": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e", "name": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0", "name": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `\"\"` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T19:32:07.180Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27707", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:22:24.091Z", "dateReserved": "2026-02-23T17:56:51.203Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T19:29:18.768Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seerr:seerr:*:*:*:*:*:*:*:*", "matchCriteriaId": "142465B9-9DE4-46F9-B457-572048968C86", "versionEndExcluding": "3.1.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `\"\"` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue."}], "id": "CVE-2026-27707", "lastModified": "2026-03-04T16:54:47.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T20:21:38.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/seerr-team/seerr/releases/tag/v3.1.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,3.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "seerr", "source": "cna", "vendor": "seerr-team"}, "product": "seerr", "vendor": "seerr-team"}], "analysis": {"en": {"generated_at": "2026-04-16T15:21:18.286513+00:00", "value": {"mitigation_remediation": ["Upgrade to Seerr version 3.1.0 or newer to apply the fix", "As a temporary measure, modify the Seerr configuration by setting settings.jellyfin.ip to a non-empty value or disabling settings.main.newPlexLogin so that external Jellyfin servers cannot be used for authentication", "Restrict network access to the Seerr instance or use firewall rules to prevent unauthenticated traffic from the public internet"], "summary": {"action": "Immediate Patch", "impact": "Unrestricted account creation and unauthorized media requests"}, "threat_synthesis": {"affected_systems": "Vulnerable Seerr deployments are those running version 2.0.0 up to, but not including, 3.1.0 on a Plex-configured environment. The conditions that enable exploitation are: the mediaServerType setting is PLEX, the jellyfin.ip configuration remains empty (indicating that Jellyfin has never been set up), and the newPlexLogin flag is left at its default true value. Deployments configured for Jellyfin or Emby are not affected, and Seerr version 3.1.0 onward contains the patch that resolves the issue.", "description_and_impact": "Seerr's authentication guard logic flaw in POST /api/v1/auth/jellyfin permits an attacker who can communicate with the server to create a new user account without prior authentication. The attacker then obtains a valid session cookie and immediately gains access to the application with default permissions, which includes the ability to submit media requests to backend tools such as Radarr and Sonarr. This flaw effectively enables an unauthenticated user to create privileged accounts and perform operations that normally require legitimate user credentials.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity vulnerability, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability has not been listed in CISA's KEV catalog. An affected system that is accessible from the public internet could be abused by an attacker who sends a crafted request to the /api/v1/auth/jellyfin endpoint using a malicious Jellyfin server address. The attacker does not need any prior authentication and only requires network reachability to the Seerr instance. Based on the description, it is inferred that the attack vector is remote network access, and that the attacker can exploit the flaw without additional privileges."}}}}, "created": "2026-03-02T12:05:10.080451+00:00", "updated": "2026-04-16T15:30:06.219715+00:00", "vendors": ["seerr-team", "seerr-team$PRODUCT$seerr"]}