CVE-2026-27707
Authentication Bypass in Seerr Plex Integration Allows Unauthorized Access
Publication date: 2026-02-27
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seerr | seerr | From 2.0.0 (inc) to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Seerr, an open-source media request and discovery manager. It is caused by a flaw in the authentication guard logic of the POST /api/v1/auth/jellyfin endpoint in versions starting from 2.0.0 up to but not including 3.1.0.
An unauthenticated attacker can exploit this flaw to register a new Seerr account on any instance configured to use Plex by authenticating with a Jellyfin server controlled by the attacker. This results in the attacker receiving an authenticated session with default permissions.
The attacker can then immediately use the application, including submitting media requests to Radarr or Sonarr. This vulnerability affects deployments where the mediaServerType is set to PLEX, the Jellyfin IP setting is empty (default), and newPlexLogin is enabled (default). Deployments configured for Jellyfin or Emby are not affected.
The issue is fixed in Seerr version 3.1.0.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to gain an authenticated session on a vulnerable Seerr instance configured with Plex, without needing valid credentials.
With this access, the attacker can use the application with default permissions, including submitting media requests to integrated services like Radarr and Sonarr.
This unauthorized access could lead to misuse of the media request system, potential disruption of service, and unauthorized actions within the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Seerr deployment meets all three conditions that make it vulnerable: the media server type is set to PLEX, the Jellyfin IP setting is empty (meaning Jellyfin was never configured), and the new Plex login setting is enabled (set to true).
You can verify these settings by inspecting the Seerr configuration files or environment variables where these settings are stored.
Since no specific commands or detection tools are provided in the available information, a general approach would be to query the configuration or use API calls to check these settings.
For example, if you have access to the configuration file, you might use commands like:
- grep 'mediaServerType' path/to/seerr/config
- grep 'jellyfin.ip' path/to/seerr/config
- grep 'newPlexLogin' path/to/seerr/config
If the settings match the vulnerable conditions, your system is likely affected.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Seerr to version 3.1.0 or later, where this authentication guard logic flaw has been fixed.
Alternatively, if upgrading is not immediately possible, you can mitigate the risk by changing the configuration to avoid the vulnerable state. This includes:
- Setting `settings.main.mediaServerType` to a value other than PLEX if applicable.
- Configuring `settings.jellyfin.ip` to a valid Jellyfin server IP instead of leaving it empty.
- Disabling `settings.main.newPlexLogin` by setting it to false.
These configuration changes reduce the attack surface until a full upgrade can be performed.