CVE-2026-27793

Name of the Vulnerable Software and Affected Versions Seerr versions prior to 3.1.0

Description Seerr is a media request and discovery manager for Jellyfin, Plex, and Emby. The GET /api/v1/user/:id API endpoint improperly discloses the full settings object for any user, including credentials for Pushover, Pushbullet, and Telegram, to any authenticated requester, irrespective of their privilege level. This issue can be exploited independently or in conjunction with an unauthenticated account creation issue. Exploiting both issues creates a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. The variable id in the API endpoint is vulnerable.

Recommendations Update to version 3.1.0 or later.