CVE-2026-32702

Name of the Vulnerable Software and Affected Versions Cleanuparr versions 2.7.0 through 2.8.0

Description Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. The /api/auth/login endpoint has a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. The hashing function, which is the most time-consuming part of the process, occurs as part of the VerifyPassword function. Short circuits occurring before the hashing function introduce a timing differential that exposes validity to the attacker.

Recommendations Cleanuparr versions 2.7.0 through 2.8.0 should be updated to version 2.8.1.