CVE-2026-44183

Name of the Vulnerable Software and Affected Versions Cleanuparr versions prior to 2.9.10

Description TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the 'X-Forwarded-For' header as the client IP. Because this header is append-only, the leftmost value is controlled by the HTTP client. An unauthenticated remote attacker can send a spoofed local IP in this header to bypass the trusted-network check and gain access as the Cleanuparr administrator.

Recommendations Update to version 2.9.10.