CVE-2026-32702 Overview
CVE-2026-32702 is a timing attack vulnerability in Cleanuparr, a tool designed for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. The vulnerability exists in the /api/auth/login endpoint, which contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time differences.
Critical Impact
Attackers can remotely enumerate valid usernames without authentication, potentially facilitating targeted brute-force attacks or social engineering campaigns against confirmed user accounts.
Affected Products
- Cleanuparr versions 2.7.0 through 2.8.0
- Cleanuparr_project Cleanuparr
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-32702 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-32702
Vulnerability Analysis
This vulnerability falls under CWE-208 (Observable Timing Discrepancy), a classic side-channel attack vector. The authentication mechanism in Cleanuparr introduces a measurable timing differential that reveals whether a submitted username exists in the system. The flaw stems from the application's handling of the password verification process, where the computationally expensive hashing function is only invoked when a valid username is provided.
When an attacker submits login requests to the /api/auth/login endpoint, they can observe that requests with valid usernames take noticeably longer to process compared to requests with invalid usernames. This timing difference occurs because the VerifyPassword function—which contains the resource-intensive hashing operation—is only executed after confirming the username exists. Short-circuit evaluation before the hashing function creates this exploitable timing discrepancy.
Root Cause
The root cause of this vulnerability is improper implementation of the authentication flow in the /api/auth/login endpoint. The application performs username validation before invoking the VerifyPassword function, which contains the time-consuming password hashing operation. This sequential approach with early termination (short-circuit logic) for invalid usernames creates an observable timing side channel.
A secure implementation would ensure constant-time authentication responses regardless of username validity, typically by always performing the password hashing operation or using constant-time comparison functions throughout the authentication process.
Attack Vector
This vulnerability is exploitable remotely over the network without requiring any authentication or user interaction. An attacker can craft automated requests to the /api/auth/login endpoint, systematically testing potential usernames while measuring response times. By analyzing the statistical differences in response latency, attackers can reliably distinguish between valid and invalid usernames.
The attack can be performed using simple scripting tools that measure HTTP response times. Once valid usernames are identified, attackers can focus brute-force or credential stuffing attacks on confirmed accounts, significantly improving attack efficiency and reducing detection risk.
Detection Methods for CVE-2026-32702
Indicators of Compromise
- High volume of failed login attempts from single IP addresses with varying usernames
- Rapid sequential requests to /api/auth/login endpoint with minimal time between requests
- Pattern of requests testing alphabetically or dictionary-based username combinations
- Network traffic analysis showing consistent request patterns to authentication endpoints
Detection Strategies
- Implement rate limiting monitoring on the /api/auth/login endpoint to identify enumeration attempts
- Deploy web application firewalls (WAF) with rules to detect timing-based enumeration patterns
- Monitor authentication logs for anomalous login attempt patterns indicating systematic username testing
- Use SIEM correlation rules to alert on multiple failed authentications with different usernames from the same source
Monitoring Recommendations
- Enable detailed logging for all authentication endpoint requests including response times
- Configure alerts for authentication failure rates exceeding baseline thresholds
- Monitor network traffic for automated scanning tool signatures targeting authentication endpoints
- Implement account lockout monitoring to detect enumeration attempts transitioning to brute-force attacks
How to Mitigate CVE-2026-32702
Immediate Actions Required
- Upgrade Cleanuparr to version 2.8.1 or later immediately
- Implement network-level rate limiting on the /api/auth/login endpoint as a temporary measure
- Review authentication logs for evidence of prior exploitation attempts
- Consider implementing additional authentication controls such as multi-factor authentication
Patch Information
The vulnerability has been fixed in Cleanuparr version 2.8.1. Users running versions 2.7.0 through 2.8.0 should upgrade immediately. The fix addresses the timing discrepancy by ensuring constant-time authentication responses regardless of username validity. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Place Cleanuparr behind a reverse proxy with aggressive rate limiting on the authentication endpoint
- Restrict network access to Cleanuparr to trusted IP ranges only using firewall rules
- Implement CAPTCHA or similar challenge-response mechanisms before authentication attempts
- Deploy network intrusion detection systems to identify and block automated enumeration attempts
# Example nginx rate limiting configuration for /api/auth/login
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/m;
location /api/auth/login {
limit_req zone=auth_limit burst=3 nodelay;
limit_req_status 429;
proxy_pass http://cleanuparr_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
