CVE-2026-44184
HIGHCleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads
Title source: cnaDescription
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf
Scores
CVSS v3
8.0
EPSS
0.0012
EPSS Percentile
2.2%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-346
CWE-942
Status
published
Products (1)
Cleanuparr/Cleanuparr
< 2.9.10
Published
May 12, 2026
Tracked Since
May 13, 2026