CVE-2026-44184 Overview
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Versions prior to 2.9.10 contain an origin validation flaw [CWE-346] in the global Cross-Origin Resource Sharing (CORS) policy. The application reflects every request Origin header and combines this with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API authenticates requests by source IP through the TrustedNetworkAuthenticationHandler. Any website an administrator visits from a trusted IP can read authenticated API responses cross-origin, including the permanent API key. The issue is fixed in version 2.9.10.
Critical Impact
A malicious webpage visited by an authenticated user on a trusted network can extract the administrator's permanent API key and gain full control of the Cleanuparr instance.
Affected Products
- Cleanuparr versions prior to 2.9.10
- Deployments with DisableAuthForLocalAddresses enabled
- Instances reachable from administrator browsers on trusted networks
Discovery Timeline
- 2026-05-12 - CVE-2026-44184 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44184
Vulnerability Analysis
The vulnerability stems from two compounding misconfigurations in Cleanuparr's HTTP layer. The global CORS policy reflects whatever value the browser supplies in the Origin header rather than validating it against an allowlist. The same policy enables credentialed requests through AllowCredentials(), which permits browsers to send cookies and read responses across origins. Modern browsers normally block this combination, but reflective origin policies defeat that protection.
The second flaw lies in TrustedNetworkAuthenticationHandler. When DisableAuthForLocalAddresses is set, the handler treats any request originating from a trusted source IP as authenticated, without requiring a token or session credential. Browsers running on a trusted network therefore make authenticated calls automatically, and the reflected CORS policy lets the calling page read the responses.
Root Cause
The root cause is improper origin validation combined with IP-based authentication. The CORS handler accepts arbitrary origins instead of comparing them to a configured allowlist. The authentication handler trusts network location as proof of identity. Either control alone is weak; together they enable a cross-origin attacker to impersonate the administrator.
Attack Vector
An attacker hosts a malicious page and lures an administrator to visit it from a workstation on a trusted network. The attacker page issues fetch() calls to the Cleanuparr API with credentials: 'include'. The browser attaches no token, but the server authenticates the request by source IP. Cleanuparr returns the response with Access-Control-Allow-Origin set to the attacker's domain and Access-Control-Allow-Credentials: true. The attacker's JavaScript reads sensitive responses, including the permanent API key endpoint, and exfiltrates the key for persistent remote access.
Detection Methods for CVE-2026-44184
Indicators of Compromise
- Outbound HTTP requests from administrator browsers to unfamiliar domains shortly before unexpected Cleanuparr API activity
- Cleanuparr access logs showing requests with external Referer or Origin headers reaching authenticated endpoints
- Unexpected use of the administrator API key from new IP addresses or user agents
- Configuration entries showing DisableAuthForLocalAddresses set to true in production deployments
Detection Strategies
- Inspect Cleanuparr access logs for Origin headers that do not match the deployed front-end domain
- Alert when responses include Access-Control-Allow-Origin values reflecting third-party origins alongside Access-Control-Allow-Credentials: true
- Correlate API key usage patterns with geolocation or ASN changes to identify key theft
Monitoring Recommendations
- Forward Cleanuparr application and reverse-proxy logs to a central log platform for query and retention
- Monitor administrator browser endpoints for connections to newly registered or low-reputation domains
- Track configuration drift on the DisableAuthForLocalAddresses setting across all Cleanuparr instances
How to Mitigate CVE-2026-44184
Immediate Actions Required
- Upgrade all Cleanuparr instances to version 2.9.10 or later without delay
- Rotate every API key issued by affected instances and revoke prior credentials
- Disable DisableAuthForLocalAddresses until the upgrade is complete and validated
- Review access logs for evidence of cross-origin authenticated requests during the exposure window
Patch Information
The maintainers released the fix in Cleanuparr 2.9.10. Details are available in the GitHub Security Advisory GHSA-rwpc-36mg-fpvf. Administrators should pull the patched container image or binary and restart the service.
Workarounds
- Restrict Cleanuparr to a dedicated administrative network segment unreachable from general-purpose workstations
- Place Cleanuparr behind a reverse proxy that enforces a strict CORS allowlist and strips reflected Origin headers
- Require token-based authentication for all requests by leaving DisableAuthForLocalAddresses disabled
- Configure browser-side controls or SameSite enforcement on the reverse proxy to limit cross-site credential attachment
# Reverse-proxy snippet enforcing a strict CORS allowlist (nginx)
map $http_origin $cors_ok {
default "";
"https://cleanuparr.internal.example.com" $http_origin;
}
server {
location /api/ {
if ($cors_ok = "") { return 403; }
add_header Access-Control-Allow-Origin $cors_ok always;
add_header Access-Control-Allow-Credentials "true" always;
proxy_pass http://cleanuparr_upstream;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
