{"id":"CVE-2026-30975","summary":"Sonarr Authentication Bypass vulnerability","details":"Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.","aliases":["GHSA-h5qx-5hjf-7c9r"],"modified":"2026-04-10T05:42:49.117347Z","published":"2026-03-25T21:08:15.426Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30975.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-290"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30975.json"},{"type":"WEB","url":"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942"},{"type":"WEB","url":"https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944"},{"type":"ADVISORY","url":"https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30975"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sonarr/sonarr","events":[{"introduced":"0"},{"fixed":"8c5091949933daaad15f9b7660ce81b9f9fee25d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.16.2942"}]}}],"versions":["v2.0.0.3004","v2.0.0.3154","v2.0.0.3357","v2.0.0.3527","v2.0.0.3530","v2.0.0.3573","v2.0.0.3645","v2.0.0.3732","v2.0.0.3953","v2.0.0.4146","v2.0.0.4230","v2.0.0.4323","v2.0.0.4326","v2.0.0.4370","v2.0.0.4389","v2.0.0.4409","v2.0.0.4427","v2.0.0.4472","v2.0.0.4613","v2.0.0.4689","v2.0.0.4748","v2.0.0.4753","v2.0.0.4855","v2.0.0.4913","v2.0.0.4918","v2.0.0.4919","v2.0.0.4928","v2.0.0.4949","v2.0.0.5054","v2.0.0.5153","v2.0.0.5163","v2.0.0.5225","v2.0.0.5228","v2.0.0.5250","v3.0.5.1144","v3.0.6.1196","v3.0.6.1264","v3.0.6.1266","v3.0.6.1335","v3.0.6.1342","v3.0.7.1477","v3.0.8.1507","v3.0.9.1549","v4.0.0.741","v4.0.0.825","v4.0.0.836","v4.0.0.924","v4.0.1.1014","v4.0.1.1047","v4.0.1.1096","v4.0.1.1114","v4.0.1.1131","v4.0.1.1168","v4.0.1.929","v4.0.1.933","v4.0.1.947","v4.0.1.953","v4.0.1.987","v4.0.10.2544","v4.0.10.2579","v4.0.10.2624","v4.0.10.2656","v4.0.11.2680","v4.0.11.2688","v4.0.11.2697","v4.0.11.2724","v4.0.11.2743","v4.0.11.2762","v4.0.11.2774","v4.0.11.2784","v4.0.11.2793","v4.0.11.2800","v4.0.11.2804","v4.0.11.2815","v4.0.12.2823","v4.0.12.2825","v4.0.12.2849","v4.0.12.2866","v4.0.12.2892","v4.0.12.2900","v4.0.13.2931","v4.0.13.2932","v4.0.13.2933","v4.0.13.2934","v4.0.14.2938","v4.0.14.2939","v4.0.15.2940","v4.0.15.2941","v4.0.2.1183","v4.0.2.1192","v4.0.2.1223","v4.0.2.1262","v4.0.2.1312","v4.0.2.1341","v4.0.2.1367","v4.0.2.1408","v4.0.3.1413","v4.0.3.1442","v4.0.3.1465","v4.0.3.1486","v4.0.4.1491","v4.0.4.1515","v4.0.4.1572","v4.0.4.1616","v4.0.4.1650","v4.0.4.1668","v4.0.4.1692","v4.0.4.1695","v4.0.4.1699","v4.0.5.1710","v4.0.5.1719","v4.0.5.1740","v4.0.5.1760","v4.0.5.1778","v4.0.5.1782","v4.0.5.1791","v4.0.5.1801","v4.0.6.1805","v4.0.6.1820","v4.0.6.1847","v4.0.7.1863","v4.0.7.1868","v4.0.8.1874","v4.0.8.1893","v4.0.8.1902","v4.0.8.1929","v4.0.8.1967","v4.0.8.1988","v4.0.8.2008","v4.0.8.2093","v4.0.8.2158","v4.0.8.2208","v4.0.8.2223","v4.0.9.2244","v4.0.9.2257","v4.0.9.2278","v4.0.9.2300","v4.0.9.2332","v4.0.9.2342","v4.0.9.2386","v4.0.9.2421","v4.0.9.2457","v4.0.9.2513"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30975.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}