CVE-2026-26069

Name of the Vulnerable Software and Affected Versions Scraparr versions 3.0.0-beta through 3.0.1

Description Scraparr, a Prometheus Exporter for the *arr Suite, disclosed Readarr API keys when the Readarr integration was enabled. This occurred because the exporter exposed the configured Readarr API key as the alias metric label value. The issue affected users if Readarr scraping was enabled with no alias configured, the exporter’s /metrics endpoint was accessible to external or unauthorized users, and the Readarr instance was externally accessible. If the /metrics endpoint was publicly accessible, the Readarr API key could be disclosed via exported metrics data. The vulnerable parameter is the alias metric label value.

Recommendations Upgrade to version 3.0.2 or later.