CVE-2026-44184 | THREATINT

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-12 | Updated 2026-05-12 | Assigner GitHub_M

HIGH: 8.0CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-346: Origin Validation Error

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

Product status

< 2.9.10

affected

References

github.com/...nuparr/security/advisories/GHSA-rwpc-36mg-fpvf exploit

github.com/...nuparr/security/advisories/GHSA-rwpc-36mg-fpvf

cve.org (CVE-2026-44184)

nvd.nist.gov (CVE-2026-44184)

Download JSON