CVE-2026-27792 Overview
A missing authorization vulnerability has been identified in Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby. The vulnerability affects versions 2.7.0 through 3.0.x and allows authenticated users to access and modify data belonging to other users due to the absence of the isOwnProfileOrAdmin() middleware on several push subscription API routes.
Critical Impact
Authenticated attackers can view and modify other users' push subscription settings, potentially leading to unauthorized data access and privacy violations across user boundaries.
Affected Products
- Seerr versions 2.7.0 through 3.0.x
- Push subscription API endpoints lacking authorization middleware
- Self-hosted Seerr instances with multiple user accounts
Discovery Timeline
- 2026-02-27 - CVE-2026-27792 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-27792
Vulnerability Analysis
This vulnerability represents a Missing Authorization flaw (CWE-862) in the Seerr application's push subscription API routes. The core issue stems from the failure to implement proper authorization checks that verify whether a requesting user has permission to access or modify another user's data.
In web applications with multi-user functionality, it is essential to validate that users can only interact with their own resources unless they have administrative privileges. The isOwnProfileOrAdmin() middleware was designed for this purpose but was not consistently applied across all relevant API endpoints, creating an authorization gap.
The network-accessible attack vector combined with low complexity requirements means that any authenticated user can potentially exploit this vulnerability. While the impact is limited to confidentiality and integrity breaches without availability impact, the unauthorized cross-user data access represents a significant privacy concern for affected deployments.
Root Cause
The root cause is the inconsistent application of authorization middleware across the push subscription API routes. The isOwnProfileOrAdmin() middleware, which validates that a user can only access their own profile or possesses administrative permissions, was not applied to several critical endpoints in server/routes/user/index.ts and server/routes/user/usersettings.ts. This allowed authenticated users to bypass user-level access controls and interact with other users' subscription data.
Attack Vector
An authenticated attacker can exploit this vulnerability by sending crafted API requests to the unprotected push subscription endpoints, substituting another user's ID in the request parameters. Since the authorization middleware is missing, the application processes these requests without validating the relationship between the requesting user and the target user account.
The attack requires only authenticated access to the Seerr application and can be performed over the network. No user interaction is required, and the attacker does not need administrative privileges—only valid credentials for any user account.
// Security patch in server/routes/user/index.ts - Adding isOwnProfileOrAdmin middleware
import logger from '@server/logger';
import { isAuthenticated } from '@server/middleware/auth';
import { getHostname } from '@server/utils/getHostname';
+import { isOwnProfileOrAdmin } from '@server/utils/profileMiddleware';
import { Router } from 'express';
import gravatarUrl from 'gravatar-url';
import { findIndex, sortBy } from 'lodash';
Source: GitHub Commit Update
// Security patch in server/routes/user/usersettings.ts - Centralizing middleware
import { isAuthenticated } from '@server/middleware/auth';
import { ApiError } from '@server/types/error';
import { getHostname } from '@server/utils/getHostname';
+import {
+ isOwnProfile,
+ isOwnProfileOrAdmin,
+} from '@server/utils/profileMiddleware';
import { Router } from 'express';
import net from 'net';
import { Not } from 'typeorm';
import { canMakePermissionsChange } from '.';
-const isOwnProfile = (): Middleware => {
- return (req, res, next) => {
- if (req.user?.id !== Number(req.params.id)) {
- return next({
- status: 403,
- message: "You do not have permission to view this user's settings.",
- });
- }
- next();
- };
-};
-
-const isOwnProfileOrAdmin = (): Middleware => {
- const authMiddleware: Middleware = (req, res, next) => {
- if (
- !req.user?.hasPermission(Permission.MANAGE_USERS) &&
- req.user?.id !== Number(req.params.id)
- ) {
Source: GitHub Commit Update
Detection Methods for CVE-2026-27792
Indicators of Compromise
- API requests to push subscription endpoints containing user IDs that don't match the authenticated session
- Unusual patterns of cross-user data access in application logs
- Multiple user profile modifications originating from a single authenticated session
- 403 Forbidden errors appearing after patching, indicating previous exploitation attempts
Detection Strategies
- Monitor API access logs for requests where the authenticated user ID differs from the target user ID in request parameters
- Implement audit logging on all user settings and push subscription endpoints
- Review historical access patterns for anomalous cross-user data retrieval
- Deploy web application firewall rules to flag requests with mismatched user identifiers
Monitoring Recommendations
- Enable detailed logging for all endpoints in server/routes/user/ directory
- Set up alerts for authorization failures and permission denied responses
- Monitor for bulk enumeration attempts against user-related API endpoints
- Track push subscription modifications and correlate with user session data
How to Mitigate CVE-2026-27792
Immediate Actions Required
- Upgrade Seerr to version 3.1.0 or later immediately
- Review application logs for evidence of unauthorized cross-user access
- Notify users if unauthorized access to their push subscription data is detected
- Temporarily restrict access to affected API endpoints if immediate patching is not possible
Patch Information
The vulnerability is fixed in Seerr version 3.1.0. The patch centralizes the authorization middleware into @server/utils/profileMiddleware and ensures it is consistently applied across all push subscription API routes. The fix includes the isOwnProfile() and isOwnProfileOrAdmin() functions that validate user permissions before allowing access to profile and subscription data.
For detailed patch information, refer to the GitHub Security Advisory GHSA-gx3h-3jg5-q65f and the GitHub Release v3.1.0.
Workarounds
- Restrict Seerr access to trusted users only until the patch can be applied
- Implement a reverse proxy with additional authorization checks on affected endpoints
- Disable push notification functionality temporarily if not critical to operations
- Place the Seerr instance behind a VPN to limit exposure to authenticated attackers
# Configuration example - Restrict access via reverse proxy (nginx)
# Add to location block for /api/v1/user endpoints
location /api/v1/user {
# Require additional authentication or IP restrictions
allow 10.0.0.0/8;
deny all;
proxy_pass http://seerr:5055;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
