CVE-2026-30975 Overview
CVE-2026-30975 is an authentication bypass vulnerability affecting Sonarr, a popular PVR (Personal Video Recorder) application for Usenet and BitTorrent users. This vulnerability allows remote attackers to bypass authentication mechanisms when specific configuration settings are in place, potentially granting unauthorized access to the Sonarr application and its managed media content.
The vulnerability specifically impacts users who have disabled authentication for local addresses (Authentication Required set to: Disabled for Local Addresses) without a properly configured reverse proxy running in front of Sonarr that filters invalid headers. This configuration oversight allows attackers to craft requests that bypass authentication checks entirely.
Critical Impact
Remote attackers can bypass authentication controls and gain unauthorized access to Sonarr instances, potentially exposing media libraries, download configurations, and system credentials stored within the application.
Affected Products
- Sonarr versions prior to 4.0.16.2942 (nightly/develop branch)
- Sonarr versions prior to 4.0.16.2944 (stable/main branch)
- Installations with "Disabled for Local Addresses" authentication setting exposed without a reverse proxy
Discovery Timeline
- 2026-03-25 - CVE-2026-30975 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-30975
Vulnerability Analysis
This authentication bypass vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing). The flaw exists in how Sonarr handles authentication requirements for requests that appear to originate from local addresses. When the "Authentication Required" setting is configured to "Disabled for Local Addresses," the application relies on request headers to determine the origin of incoming connections.
The vulnerability allows attackers to exploit this trust model by manipulating HTTP headers to make their requests appear as if they originated from local addresses, effectively bypassing the authentication requirement. This is particularly dangerous when Sonarr is directly exposed to the internet without a properly configured reverse proxy that sanitizes or validates these headers.
The impact of successful exploitation includes unauthorized access to:
- Media library management functions
- Download client configurations
- Indexer API keys and credentials
- Application settings and user accounts
Root Cause
The root cause of this vulnerability lies in improper validation of client origin when the "Disabled for Local Addresses" authentication setting is enabled. The application trusts certain HTTP headers to determine whether a request originates from a local network, but these headers can be spoofed by malicious actors. Without a reverse proxy in front of Sonarr that strips or validates these headers, attackers can forge requests that bypass authentication entirely.
Attack Vector
The attack vector is network-based and does not require prior authentication. An attacker can exploit this vulnerability by:
- Identifying a Sonarr instance exposed to the internet with the "Disabled for Local Addresses" authentication setting enabled
- Crafting HTTP requests with spoofed headers indicating a local origin
- Sending these requests directly to the Sonarr instance (when no reverse proxy is present, or when the reverse proxy does not filter the malicious headers)
- Gaining authenticated access to the Sonarr application without valid credentials
The attack requires user interaction (UI:R) in certain scenarios, though the primary exploitation path involves direct network access to misconfigured instances. Successful exploitation can result in high confidentiality and integrity impact, allowing attackers to access and modify sensitive data within the application.
Detection Methods for CVE-2026-30975
Indicators of Compromise
- Unexpected authentication-free access to Sonarr from external IP addresses
- Log entries showing successful API requests without corresponding authentication events
- Unusual modifications to download clients, indexers, or library configurations
- Access logs containing requests with suspicious or inconsistent origin headers
Detection Strategies
- Review Sonarr access logs for requests from external IP addresses that bypassed authentication
- Monitor for configuration changes to authentication settings or API key modifications
- Implement network monitoring to detect direct external access to Sonarr ports without reverse proxy traversal
- Audit current authentication settings to identify instances with "Disabled for Local Addresses" enabled
Monitoring Recommendations
- Enable comprehensive access logging in Sonarr and regularly review for anomalous access patterns
- Configure alerting for any changes to authentication settings or user accounts
- Monitor network traffic to Sonarr instances for connections bypassing reverse proxy infrastructure
- Implement intrusion detection rules for requests containing spoofed local address headers
How to Mitigate CVE-2026-30975
Immediate Actions Required
- Upgrade Sonarr to version 4.0.16.2942 (nightly/develop) or 4.0.16.2944 (stable/main) immediately
- Change the Authentication Required setting to Enabled to require authentication for all connections
- Review access logs for any signs of unauthorized access prior to patching
- Rotate any API keys or credentials that may have been exposed
Patch Information
Security patches are available in the following versions:
- Nightly/Develop Branch: Version 4.0.16.2942 - GitHub Release v4.0.16.2942
- Stable/Main Branch: Version 4.0.16.2944 - GitHub Release v4.0.16.2944
For complete details on the vulnerability, refer to the GitHub Security Advisory GHSA-h5qx-5hjf-7c9r.
Workarounds
- Set Sonarr's Authentication Required setting to Enabled to require authentication for all connections regardless of origin
- Deploy Sonarr behind a properly configured reverse proxy that strips or validates origin headers
- Do not expose Sonarr directly to the internet; instead, access it through a VPN, Tailscale, or similar secure network solution
- Implement firewall rules to restrict access to Sonarr only from trusted internal networks
# Example: Configure Sonarr authentication setting via config.xml
# Ensure AuthenticationRequired is set to "Enabled" instead of "DisabledForLocalAddresses"
# Location: /path/to/sonarr/config.xml
# <AuthenticationRequired>Enabled</AuthenticationRequired>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
