CVE-2026-44184

Name of the Vulnerable Software and Affected Versions Cleanuparr versions prior to 2.9.10

Description The global CORS (Cross-Origin Resource Sharing) policy reflects every request Origin and combines it with AllowCredentials(). When the DisableAuthForLocalAddresses setting is enabled, the API authenticates requests based solely on the source IP through the TrustedNetworkAuthenticationHandler() function. This combination allows any website visited by an administrator or a user on a trusted IP to read authenticated API responses cross-origin, which may include the administrator's permanent API key.

Recommendations Update to version 2.9.10.