CVE-2026-27793
Received Received - Intake
Unauthorized Credential Disclosure via User API in Seerr Prior to

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27793
EUVD
EUVD-2026-9055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seerr seerr to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Seerr, an open-source media request and discovery manager. Before version 3.1.0, the API endpoint GET /api/v1/user/:id returns the full settings object for any user, including sensitive third-party credentials such as Pushover, Pushbullet, and Telegram credentials, to any authenticated user regardless of their privilege level.

This means that any authenticated user can access sensitive credential information of other users, including administrators. The vulnerability can also be combined with another vulnerability (CVE-2026-27707) that allows unauthenticated account creation, creating a zero-prior-access chain that leaks these credentials without any prior access.

The issue was fixed in version 3.1.0 of Seerr.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive third-party API credentials for all users, including administrators.

An attacker with access to these credentials could potentially misuse third-party services integrated with Seerr, leading to unauthorized actions or data exposure.

If combined with the unauthenticated account creation vulnerability (CVE-2026-27707), an attacker could exploit the system without any prior access, increasing the risk and impact.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Seerr to version 3.1.0 or later, which contains fixes for this issue and the related unauthenticated account creation vulnerability CVE-2026-27707.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart