CVE-2026-30975
- Source
- https://cve.org/CVERecord?id=CVE-2026-30975
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30975.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-30975
- Aliases
-
- GHSA-h5qx-5hjf-7c9r
- Published
- 2026-03-25T21:08:15.426Z
- Modified
- 2026-04-10T05:42:49.117347Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Sonarr Authentication Bypass vulnerability
- Details
-
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to:
Disabled for Local Addresses) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set toEnabled, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution. - Database specific
{ "cwe_ids": [ "CWE-290" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30975.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30975.json
- https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942
- https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944
- https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r
- https://nvd.nist.gov/vuln/detail/CVE-2026-30975
Affected packages
Git / github.com/sonarr/sonarr
Affected versions
v2.*
v2.0.0.3004
v2.0.0.3154
v2.0.0.3357
v2.0.0.3527
v2.0.0.3530
v2.0.0.3573
v2.0.0.3645
v2.0.0.3732
v2.0.0.3953
v2.0.0.4146
v2.0.0.4230
v2.0.0.4323
v2.0.0.4326
v2.0.0.4370
v2.0.0.4389
v2.0.0.4409
v2.0.0.4427
v2.0.0.4472
v2.0.0.4613
v2.0.0.4689
v2.0.0.4748
v2.0.0.4753
v2.0.0.4855
v2.0.0.4913
v2.0.0.4918
v2.0.0.4919
v2.0.0.4928
v2.0.0.4949
v2.0.0.5054
v2.0.0.5153
v2.0.0.5163
v2.0.0.5225
v2.0.0.5228
v2.0.0.5250
v3.*
v3.0.5.1144
v3.0.6.1196
v3.0.6.1264
v3.0.6.1266
v3.0.6.1335
v3.0.6.1342
v3.0.7.1477
v3.0.8.1507
v3.0.9.1549
v4.*
v4.0.0.741
v4.0.0.825
v4.0.0.836
v4.0.0.924
v4.0.1.1014
v4.0.1.1047
v4.0.1.1096
v4.0.1.1114
v4.0.1.1131
v4.0.1.1168
v4.0.1.929
v4.0.1.933
v4.0.1.947
v4.0.1.953
v4.0.1.987
v4.0.10.2544
v4.0.10.2579
v4.0.10.2624
v4.0.10.2656
v4.0.11.2680
v4.0.11.2688
v4.0.11.2697
v4.0.11.2724
v4.0.11.2743
v4.0.11.2762
v4.0.11.2774
v4.0.11.2784
v4.0.11.2793
v4.0.11.2800
v4.0.11.2804
v4.0.11.2815
v4.0.12.2823
v4.0.12.2825
v4.0.12.2849
v4.0.12.2866
v4.0.12.2892
v4.0.12.2900
v4.0.13.2931
v4.0.13.2932
v4.0.13.2933
v4.0.13.2934
v4.0.14.2938
v4.0.14.2939
v4.0.15.2940
v4.0.15.2941
v4.0.2.1183
v4.0.2.1192
v4.0.2.1223
v4.0.2.1262
v4.0.2.1312
v4.0.2.1341
v4.0.2.1367
v4.0.2.1408
v4.0.3.1413
v4.0.3.1442
v4.0.3.1465
v4.0.3.1486
v4.0.4.1491
v4.0.4.1515
v4.0.4.1572
v4.0.4.1616
v4.0.4.1650
v4.0.4.1668
v4.0.4.1692
v4.0.4.1695
v4.0.4.1699
v4.0.5.1710
v4.0.5.1719
v4.0.5.1740
v4.0.5.1760
v4.0.5.1778
v4.0.5.1782
v4.0.5.1791
v4.0.5.1801
v4.0.6.1805
v4.0.6.1820
v4.0.6.1847
v4.0.7.1863
v4.0.7.1868
v4.0.8.1874
v4.0.8.1893
v4.0.8.1902
v4.0.8.1929
v4.0.8.1967
v4.0.8.1988
v4.0.8.2008
v4.0.8.2093
v4.0.8.2158
v4.0.8.2208
v4.0.8.2223
v4.0.9.2244
v4.0.9.2257
v4.0.9.2278
v4.0.9.2300
v4.0.9.2332
v4.0.9.2342
v4.0.9.2386
v4.0.9.2421
v4.0.9.2457
v4.0.9.2513