CVE-2026-44184— Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads

Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

源验证错误

Cleanuparr 访问控制错误漏洞

Cleanuparr是Cleanuparr开源的一个自动化清理下载队列中无效文件的工具。 Cleanuparr 2.9.10之前版本存在访问控制错误漏洞，该漏洞源于全局CORS策略反映每个请求的Origin并结合AllowCredentials()，当启用DisableAuthForLocalAddresses时，可能导致任何网站读取经过身份验证的API响应，包括管理员永久API密钥。

N/A

N/A