CVE-2026-26069 Overview
CVE-2026-26069 is an Information Exposure vulnerability affecting Scraparr, a Prometheus Exporter for various components of the *arr Suite. From version 3.0.0-beta to versions prior to 3.0.2, when the Readarr integration was enabled without a configured alias, the exporter exposed the configured Readarr API key as the alias metric label value. This sensitive data disclosure occurs through the publicly accessible /metrics endpoint, potentially allowing unauthorized users to obtain API credentials.
Critical Impact
Exposed Readarr API keys could allow attackers to gain unauthorized access to Readarr instances, potentially leading to data manipulation, configuration changes, or further lateral movement within connected systems.
Affected Products
- Scraparr versions 3.0.0-beta through 3.0.1
- Installations with Readarr scraping feature enabled without a configured alias
- Deployments where the /metrics endpoint is accessible to external or unauthorized users
Discovery Timeline
- February 12, 2026 - CVE-2026-26069 published to NVD
- February 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-26069
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in Scraparr's Readarr integration module, where the application improperly handles API key values when no custom alias is configured for the Readarr connection. Instead of using a sanitized identifier, the exporter defaults to using the raw API key as the metric label value, which is then exposed through Prometheus metrics data.
The exposure requires a specific combination of conditions: the Readarr scraping feature must be enabled, no alias must be configured for the integration, and the /metrics endpoint must be accessible to unauthorized users. When these conditions are met, any party with access to the metrics endpoint can extract the Readarr API key from the exported data.
Root Cause
The root cause of this vulnerability stems from improper default handling of the alias configuration parameter. When users enable Readarr integration without specifying a custom alias, the application falls back to using the API key as the identifier in metric labels. This design oversight results in sensitive credential information being serialized into Prometheus metrics output, which is inherently designed for broad consumption by monitoring systems.
Attack Vector
The attack vector for CVE-2026-26069 is network-based and requires no authentication or user interaction. An attacker with network access to the Scraparr /metrics endpoint can passively observe the exported metrics data to extract the Readarr API key. The attack flow proceeds as follows:
- The attacker identifies a Scraparr instance with an exposed /metrics endpoint
- A simple HTTP GET request to the endpoint returns all exported metrics
- The attacker parses the metrics data to locate Readarr-related labels
- The API key is extracted from the alias label value
- With the API key, the attacker can authenticate to the associated Readarr instance
The vulnerability mechanism involves the metrics export functionality. When generating Prometheus-compatible metrics, the application constructs label key-value pairs that identify the data source. For technical details on the specific code changes addressing this issue, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-26069
Indicators of Compromise
- Unusual access patterns to the /metrics endpoint from external IP addresses
- API authentication attempts to Readarr instances from unauthorized sources
- Unexpected configuration changes or data modifications in Readarr
- Network traffic analysis showing metric scraping from non-monitoring infrastructure
Detection Strategies
- Review web server access logs for requests to the /metrics endpoint from unauthorized sources
- Audit Readarr API access logs for authentication from unexpected IP addresses or user agents
- Implement network monitoring to detect external access attempts to monitoring endpoints
- Check Scraparr configuration to verify whether an alias is configured for Readarr integration
Monitoring Recommendations
- Deploy alerting for external access attempts to internal monitoring endpoints
- Enable verbose logging on Readarr instances to track API key usage
- Implement network segmentation monitoring between monitoring infrastructure and external networks
- Regularly audit exposed endpoints and their authentication requirements
How to Mitigate CVE-2026-26069
Immediate Actions Required
- Upgrade Scraparr to version 3.0.2 or later immediately
- Rotate the Readarr API key if the /metrics endpoint was publicly accessible
- Configure a custom alias for all Readarr integrations to prevent key exposure
- Restrict network access to the /metrics endpoint to authorized monitoring systems only
Patch Information
The vulnerability is fixed in Scraparr version 3.0.2. The patch ensures that API keys are never used as metric label values, regardless of alias configuration. Users should upgrade to this version immediately using their preferred installation method. The fix can be verified by reviewing the commit update and downloading the patched release from the v3.0.2 release page.
Workarounds
- Configure a custom alias for all Readarr integrations to prevent API key exposure in metrics
- Implement network-level access controls to restrict /metrics endpoint access to internal monitoring systems only
- Use a reverse proxy with authentication to protect the metrics endpoint from unauthorized access
- Disable Readarr integration temporarily until the upgrade can be performed
# Example: Restrict metrics endpoint access using firewall rules
# Allow only internal monitoring server (replace with your Prometheus IP)
iptables -A INPUT -p tcp --dport 9090 -s 10.0.0.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
