CVE-2026-44184HIGH 8.0EPSS p2.2%

CVE-2026-44184CVE-2026-44184

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.12% probability of exploitation · percentile 2.2% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-13

Underlying weaknesses· 2

CWE-346CWE-942

References

  1. https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf
  2. https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf

2

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live
WeaknessPermissive Cross-domain Security Policy with Untrusted Domainscwe-9420%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44183
CVE
CVE-2026-30975
CVE
CVE-2026-11210
CVE
CVE-2026-11684
CVE
CVE-2025-50983
CVE
CVE-2026-11242
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.