{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30975", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.816Z", "datePublished": "2026-03-25T21:08:15.426Z", "dateUpdated": "2026-03-26T15:23:38.612Z"}, "containers": {"cna": {"title": "Sonarr Authentication Bypass vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944"}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"version": "< 4.0.16.2942", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:08:15.426Z"}, "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}], "source": {"advisory": "GHSA-h5qx-5hjf-7c9r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:23:30.487188Z", "id": "CVE-2026-30975", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:23:38.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:23:30.487188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:23:34.236Z"}}], "cna": {"title": "Sonarr Authentication Bypass vulnerability", "source": {"advisory": "GHSA-h5qx-5hjf-7c9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"status": "affected", "version": "< 4.0.16.2942"}]}], "references": [{"url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:08:15.426Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30975", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:23:38.612Z", "dateReserved": "2026-03-07T17:53:48.816Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T21:08:15.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*", "matchCriteriaId": "03480656-DD06-48B9-AB6B-40F751EDAA17", "versionEndExcluding": "4.0.16.2942", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution."}, {"lang": "es", "value": "Sonarr es un PVR para usuarios de Usenet y BitTorrent. Las versiones anteriores a la 4.0.16.2942 tienen una omisi\u00f3n de autenticaci\u00f3n que afectaba a los usuarios que hab\u00edan deshabilitado la autenticaci\u00f3n para direcciones locales (Autenticaci\u00f3n Requerida configurada como: 'Deshabilitada para Direcciones Locales') sin un proxy inverso ejecut\u00e1ndose delante de Sonarr que s\u00ed pasara la cabecera inv\u00e1lida. Los parches est\u00e1n disponibles en la versi\u00f3n 4.0.16.2942 en la rama nightly/develop y en la versi\u00f3n 4.0.16.2944 para las versiones stable/main. Algunas soluciones alternativas est\u00e1n disponibles. Aseg\u00farese de que la configuraci\u00f3n 'Autenticaci\u00f3n Requerida' de Sonarr est\u00e9 establecida en 'Habilitada', ejecute Sonarr detr\u00e1s de un proxy inverso, y/o no exponga Sonarr directamente a internet y, en su lugar, conf\u00ede en acceder a \u00e9l a trav\u00e9s de una VPN, Tailscale o una soluci\u00f3n similar."}], "id": "CVE-2026-30975", "lastModified": "2026-03-30T16:55:47.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T21:16:41.453", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.16.2942)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sonarr", "source": "cna", "vendor": "Sonarr"}, "product": "sonarr", "vendor": "sonarr"}], "analysis": {"en": {"generated_at": "2026-03-30T18:53:50.922376+00:00", "value": {"mitigation_remediation": ["Upgrade Sonarr to version 4.0.16.2944 or later (or apply the nightly 4.0.16.2942 build).", "Enable the Authentication Required setting so that all requests must present credentials.", "Run Sonarr behind a reverse proxy that controls or forwards authentication headers appropriately.", "Do not expose Sonarr directly to the internet; use a VPN, Tailscale, or other secure tunnel for access."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is Sonarr, with all releases prior to version 4.0.16.2942 vulnerable. The issue is resolved by upgrading to the nightly build 4.0.16.2942 or to the stable release 4.0.16.2944 and later.", "description_and_impact": "Sonarr versions older than 4.0.16.2942 allow an unauthenticated attacker to bypass the login mechanism when the application is configured to disable authentication for local addresses and no reverse proxy is in place. The flaw permits the attacker to access the web interface as a fully authenticated user, enabling the use of all administrative functions without providing valid credentials.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, while the EPSS probability of less than 1\u202f% suggests a low likelihood of exploitation in the field. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over HTTP by sending requests that do not present authenticating credentials to an exposed Sonarr instance that has disabled local\u2011address authentication; if the service is not directly reachable from the internet, the risk is mitigated but misconfigured reverse proxies could still expose the surface."}}}}, "created": "2026-03-26T11:31:28.169708+00:00", "updated": "2026-03-30T20:57:53.056939+00:00", "vendors": ["sonarr", "sonarr$PRODUCT$sonarr"]}