CVE-2026-27793 Overview
CVE-2026-27793 is an Insecure Direct Object Reference (IDOR) vulnerability in Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby. The vulnerability exists in the GET /api/v1/user/:id endpoint, which returns the full settings object for any user—including sensitive third-party API credentials for Pushover, Pushbullet, and Telegram—to any authenticated requester regardless of their privilege level.
This vulnerability is particularly dangerous when combined with CVE-2026-27707, an unauthenticated account creation vulnerability. Together, these vulnerabilities create a zero-prior-access attack chain that enables complete exfiltration of third-party API credentials for all users, including administrators.
Critical Impact
Any authenticated user can retrieve sensitive third-party API credentials (Pushover, Pushbullet, Telegram) for all users including administrators, enabling account takeover on connected notification services.
Affected Products
- Seerr versions prior to 3.1.0
Discovery Timeline
- 2026-02-27 - CVE-2026-27793 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-27793
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as Insecure Direct Object Reference (IDOR). The root issue lies in the user retrieval endpoint's insufficient access control implementation.
The GET /api/v1/user/:id endpoint accepts a user ID parameter and returns user data without properly validating whether the requesting user has authorization to view the target user's sensitive information. The endpoint's filtering logic only checked if the requester had MANAGE_USERS permission, but failed to consider whether non-administrative users should be restricted from viewing other users' private settings.
The exposed settings object contains sensitive third-party notification service credentials including Pushover user keys, Pushbullet API tokens, and Telegram bot credentials. An attacker with basic authenticated access can enumerate user IDs and extract these credentials systematically.
Root Cause
The vulnerability stems from an insufficient field filtering implementation in the User entity class. The original filteredFields array only excluded email and plexId from API responses, leaving sensitive authentication tokens and settings exposed. The endpoint logic also failed to implement proper ownership checks—it would return unfiltered data to any authenticated user rather than restricting sensitive fields to the profile owner or administrators.
Attack Vector
An attacker can exploit this vulnerability through the network by making authenticated HTTP requests to the vulnerable endpoint. The attack requires low complexity and no user interaction:
- The attacker creates an account (legitimately or via CVE-2026-27707)
- Authenticates to obtain a valid session
- Enumerates user IDs by incrementing the :id parameter
- Extracts third-party API credentials from each user's settings object
The following patch demonstrates how the vulnerability was addressed by expanding the filtered fields list and implementing proper ownership validation:
Entity-level filtering expansion (server/entity/User.ts):
return users.map((u) => u.filter(showFiltered));
}
- static readonly filteredFields: string[] = ['email', 'plexId'];
+ static readonly filteredFields: string[] = [
+ 'email',
+ 'plexId',
+ 'password',
+ 'resetPasswordGuid',
+ 'jellyfinDeviceId',
+ 'jellyfinAuthToken',
+ 'plexToken',
+ 'settings',
+ ];
public displayName: string;
Source: GitHub Commit 4f089b2
Endpoint access control fix (server/routes/user/index.ts):
router.get<{ id: string }>('/:id', async (req, res, next) => {
try {
const userRepository = getRepository(User);
-
const user = await userRepository.findOneOrFail({
where: { id: Number(req.params.id) },
});
- return res
- .status(200)
- .json(user.filter(req.user?.hasPermission(Permission.MANAGE_USERS)));
+ const isOwnProfile = req.user?.id === user.id;
+ const isAdmin = req.user?.hasPermission(Permission.MANAGE_USERS);
+
+ return res.status(200).json(user.filter(isOwnProfile || isAdmin));
} catch (e) {
next({ status: 404, message: 'User not found.' });
}
Source: GitHub Commit 4f089b2
Detection Methods for CVE-2026-27793
Indicators of Compromise
- Unusual volume of GET /api/v1/user/:id requests from a single authenticated session
- Sequential enumeration patterns in user ID parameters (e.g., requests for IDs 1, 2, 3, 4...)
- Authenticated users accessing user profiles other than their own without administrative privileges
- Anomalous API activity from newly created accounts targeting user endpoints
Detection Strategies
- Implement API rate limiting and anomaly detection for the /api/v1/user/ endpoint to identify enumeration attempts
- Monitor authentication logs for accounts created via CVE-2026-27707 followed by user enumeration activity
- Review web server access logs for patterns indicating systematic user ID enumeration
- Deploy Web Application Firewall (WAF) rules to detect and block IDOR attack patterns
Monitoring Recommendations
- Enable detailed API access logging including authenticated user identity, target user IDs, and response sizes
- Set up alerts for high-frequency requests to user profile endpoints from non-administrative accounts
- Monitor for unauthorized access to third-party notification services using credentials that may have been exfiltrated
- Review Pushover, Pushbullet, and Telegram account activity for suspicious API usage
How to Mitigate CVE-2026-27793
Immediate Actions Required
- Upgrade Seerr to version 3.1.0 or later immediately
- Rotate all third-party notification service credentials (Pushover, Pushbullet, Telegram) for all users
- Review API access logs to determine if the vulnerability was exploited prior to patching
- If CVE-2026-27707 is also present, audit for unauthorized account creation and remove suspicious accounts
Patch Information
The vulnerability has been addressed in Seerr version 3.1.0. The fix implements two key changes:
Expanded field filtering: The filteredFields array now includes password, resetPasswordGuid, jellyfinDeviceId, jellyfinAuthToken, plexToken, and settings to prevent exposure of sensitive data.
Ownership-based access control: The endpoint now checks whether the requesting user is either viewing their own profile (isOwnProfile) or has administrative privileges (isAdmin) before returning unfiltered data.
For detailed patch information, see the GitHub Security Advisory GHSA-f7xw-jcqr-57hp and the v3.1.0 release notes.
Workarounds
- If immediate patching is not possible, implement a reverse proxy rule to block or restrict access to /api/v1/user/:id endpoints for non-administrative users
- Temporarily disable third-party notification integrations until the patch can be applied
- Implement network-level access controls to limit API access to trusted IP addresses
- Consider placing Seerr behind authentication middleware that enforces stricter access controls
# Example nginx configuration to restrict user endpoint access
location ~ ^/api/v1/user/[0-9]+$ {
# Only allow requests from trusted admin IPs
allow 192.168.1.0/24;
deny all;
proxy_pass http://seerr_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
