PT-2026-25386 · Cleanuparr+1 · Cleanuparr

Ppfeister

·

Published

2026-03-13

·

Updated

2026-03-16

·

CVE-2026-32702

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Cleanuparr versions 2.7.0 through 2.8.0
Description Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. The /api/auth/login endpoint has a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. The hashing function, which is the most time-consuming part of the process, occurs as part of the VerifyPassword function. Short circuits occurring before the hashing function introduce a timing differential that exposes validity to the attacker.
Recommendations Cleanuparr versions 2.7.0 through 2.8.0 should be updated to version 2.8.1.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-32702
GHSA-GJMF-M27R-2C9V

Affected Products

Cleanuparr