CVE-2026-27707
Received Received - Intake
Authentication Bypass in Seerr Plex Integration Allows Unauthorized Access

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27707
EUVD
EUVD-2026-9052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seerr seerr From 2.0.0 (inc) to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Seerr, an open-source media request and discovery manager. It is caused by a flaw in the authentication guard logic of the POST /api/v1/auth/jellyfin endpoint in versions starting from 2.0.0 up to but not including 3.1.0.

An unauthenticated attacker can exploit this flaw to register a new Seerr account on any instance configured to use Plex by authenticating with a Jellyfin server controlled by the attacker. This results in the attacker receiving an authenticated session with default permissions.

The attacker can then immediately use the application, including submitting media requests to Radarr or Sonarr. This vulnerability affects deployments where the mediaServerType is set to PLEX, the Jellyfin IP setting is empty (default), and newPlexLogin is enabled (default). Deployments configured for Jellyfin or Emby are not affected.

The issue is fixed in Seerr version 3.1.0.

Impact Analysis

This vulnerability allows an unauthenticated attacker to gain an authenticated session on a vulnerable Seerr instance configured with Plex, without needing valid credentials.

With this access, the attacker can use the application with default permissions, including submitting media requests to integrated services like Radarr and Sonarr.

This unauthorized access could lead to misuse of the media request system, potential disruption of service, and unauthorized actions within the application.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your Seerr deployment meets all three conditions that make it vulnerable: the media server type is set to PLEX, the Jellyfin IP setting is empty (meaning Jellyfin was never configured), and the new Plex login setting is enabled (set to true).

You can verify these settings by inspecting the Seerr configuration files or environment variables where these settings are stored.

Since no specific commands or detection tools are provided in the available information, a general approach would be to query the configuration or use API calls to check these settings.

For example, if you have access to the configuration file, you might use commands like:

  • grep 'mediaServerType' path/to/seerr/config
  • grep 'jellyfin.ip' path/to/seerr/config
  • grep 'newPlexLogin' path/to/seerr/config

If the settings match the vulnerable conditions, your system is likely affected.

Mitigation Strategies

The immediate mitigation step is to upgrade Seerr to version 3.1.0 or later, where this authentication guard logic flaw has been fixed.

Alternatively, if upgrading is not immediately possible, you can mitigate the risk by changing the configuration to avoid the vulnerable state. This includes:

  • Setting `settings.main.mediaServerType` to a value other than PLEX if applicable.
  • Configuring `settings.jellyfin.ip` to a valid Jellyfin server IP instead of leaving it empty.
  • Disabling `settings.main.newPlexLogin` by setting it to false.

These configuration changes reduce the attack surface until a full upgrade can be performed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart