CVE-2026-30975

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sonarr versions prior to 4.0.16.2942

Description Sonarr is a PVR for Usenet and BitTorrent users. A flaw exists where authentication could be bypassed in versions with authentication disabled for local addresses (Authentication Required set to: Disabled for Local Addresses) if a reverse proxy was not in place or did not properly handle headers. The issue affects the Authentication Required setting.

Recommendations Update to version 4.0.16.2942 or later. Ensure Sonarr's Authentication Required setting is set to Enabled. Run Sonarr behind a reverse proxy. Avoid exposing Sonarr directly to the internet; use a VPN or Tailscale instead.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2026-30975

GHSA-H5QX-5HJF-7C9R

Affected Products

Sonarr

CVE-2026-30975

Weakness Enumeration

Related Identifiers

Affected Products

References · 9