CVE-2026-27707

Name of the Vulnerable Software and Affected Versions Seerr versions 2.0.0 through 3.0.9

Description Seerr is a media request and discovery manager for Jellyfin, Plex, and Emby. A flaw in the authentication guard logic within the /api/v1/auth/jellyfin API endpoint allows an unauthenticated attacker to create a new Seerr account on any Plex-configured instance. This is achieved by authenticating with an attacker-controlled Jellyfin server, granting the attacker an authenticated session with default permissions, including the ability to submit media requests to Radarr/Sonarr. Deployments where settings.main.mediaServerType is set to PLEX, settings.jellyfin.ip is set to "", and settings.main.newPlexLogin is set to true are potentially vulnerable.

Recommendations Update to Seerr version 3.1.0 or later.