CVE-2026-27793
Received Received - Intake
Unauthorized Credential Disclosure via User API in Seerr Prior to

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27793
EUVD
EUVD-2026-9055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seerr seerr to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Seerr, an open-source media request and discovery manager. Before version 3.1.0, the API endpoint GET /api/v1/user/:id returns the full settings object for any user, including sensitive third-party credentials such as Pushover, Pushbullet, and Telegram credentials, to any authenticated user regardless of their privilege level.

This means that any authenticated user can access sensitive credential information of other users, including administrators. The vulnerability can also be combined with another vulnerability (CVE-2026-27707) that allows unauthenticated account creation, creating a zero-prior-access chain that leaks these credentials without any prior access.

The issue was fixed in version 3.1.0 of Seerr.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive third-party API credentials for all users, including administrators.

An attacker with access to these credentials could potentially misuse third-party services integrated with Seerr, leading to unauthorized actions or data exposure.

If combined with the unauthenticated account creation vulnerability (CVE-2026-27707), an attacker could exploit the system without any prior access, increasing the risk and impact.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Seerr to version 3.1.0 or later, which contains fixes for this issue and the related unauthenticated account creation vulnerability CVE-2026-27707.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart