CVE-2026-30975

Published: Mar 25, 2026

Modified: Mar 26, 2026

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

Vendor	Product	Versions
Sonarr	Sonarr	affected `< 4.0.16.2942`

Weaknesses (CWE)

CWE-290

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r

x_refsource_CONFIRM

https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942

x_refsource_MISC

https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-30975

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References