CVE-2026-44183
CRITICALCleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled
Title source: cnaDescription
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-8q44-v65j-jc3q
Scores
CVSS v3
9.8
EPSS
0.0022
EPSS Percentile
12.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-290
CWE-348
Status
published
Products (1)
Cleanuparr/Cleanuparr
< 2.9.10
Published
May 12, 2026
Tracked Since
May 13, 2026