{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32702", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.823Z", "datePublished": "2026-03-13T21:09:00.127Z", "dateUpdated": "2026-03-16T16:47:53.284Z"}, "containers": {"cna": {"title": "Cleanuparr has Username Enumeration via Timing Attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v"}], "affected": [{"vendor": "Cleanuparr", "product": "Cleanuparr", "versions": [{"version": ">= 2.7.0, <= 2.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:09:00.127Z"}, "descriptions": [{"lang": "en", "value": "Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1."}], "source": {"advisory": "GHSA-gjmf-m27r-2c9v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T16:47:48.424254Z", "id": "CVE-2026-32702", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T16:47:53.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32702", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T16:47:48.424254Z"}}}], "references": [{"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T16:47:42.330Z"}}], "cna": {"title": "Cleanuparr has Username Enumeration via Timing Attack", "source": {"advisory": "GHSA-gjmf-m27r-2c9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Cleanuparr", "product": "Cleanuparr", "versions": [{"status": "affected", "version": ">= 2.7.0, <= 2.8.0"}]}], "references": [{"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v", "name": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:09:00.127Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32702", "state": "PUBLISHED", "dateUpdated": "2026-03-16T16:47:53.284Z", "dateReserved": "2026-03-13T14:33:42.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T21:09:00.127Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cleanuparr_project:cleanuparr:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFFA3DD2-63E9-4197-87EB-E7DF58B3DCBC", "versionEndExcluding": "2.8.1", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1."}], "id": "CVE-2026-32702", "lastModified": "2026-03-18T18:19:19.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:41.087", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.0,2.8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cleanuparr", "source": "cna", "vendor": "Cleanuparr"}, "product": "cleanuparr", "vendor": "cleanuparr"}], "analysis": {"en": {"generated_at": "2026-03-18T19:39:48.573642+00:00", "value": {"mitigation_remediation": ["Apply the patch that upgrades Cleanuparr to version 2.8.1 or later."], "summary": {"action": "Patch", "impact": "Username Enumeration"}, "threat_synthesis": {"affected_systems": "Affected vendors of the vulnerability are Cleanuparr:Cleanuparr, specifically the Cleanuparr Project. The impacted versions are 2.7.0 through 2.8.0, as indicated by the vulnerability description. The relevant component is the /api/auth/login endpoint, accessed via the API exposed by the Cleanuparr application.", "description_and_impact": "The flaw resides in the /api/auth/login endpoint of Cleanuparr between versions 2.7.0 and 2.8.0. The VerifyPassword function performs the most time\u2011consuming work, but short\u2011circuits occur before hashing when the supplied username is invalid. This timing differential allows an unauthenticated attacker to infer whether a username exists by measuring response times, resulting in information disclosure rather than direct code execution or denial of service. The weakness is classified as CWE-208 (Timing Channel).", "risk_and_exploitability": "The CVSS score for this vulnerability is 6.9, indicating a moderate severity. The EPSS score is less than 1\u202f% and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely in the wild but not impossible. The attack requires an attacker who can send unauthenticated requests to the public API endpoint and perform precise timing measurements, which is technically feasible for a network\u2011connected attacker. The resulting impact is the exposure of valid usernames, enabling attackers to focus subsequent credential\u2011guessing or social\u2011engineering attacks."}}}}, "created": "2026-03-16T09:22:51.924983+00:00", "updated": "2026-03-23T13:39:27.786288+00:00", "vendors": ["cleanuparr", "cleanuparr$PRODUCT$cleanuparr"]}