CVE-2026-27792 in seerr
Summary
by MITRE • 02/27/2026
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability CVE-2026-27792 affects Seerr, an open-source media request and discovery manager that integrates with popular media servers including Jellyfin, Plex, and Emby. This application serves as a centralized platform for users to request and manage media content within their home entertainment ecosystems. The security flaw manifests as a critical authorization bypass that enables authenticated users to access and manipulate data belonging to other users within the system. The vulnerability specifically impacts versions 2.7.0 through 3.0.9 of the application, representing a significant security regression that undermines the application's user isolation mechanisms.
The technical root cause of this vulnerability lies in the improper implementation of access control measures within the application's API endpoints. The flaw occurs due to the absence of the `isOwnProfileOrAdmin()` middleware on multiple push subscription API routes. This middleware function is designed to verify that users can only access or modify their own data or data belonging to users with administrative privileges. Without this crucial authorization check, authenticated users can exploit the API endpoints to perform operations on other users' push subscription configurations, effectively breaking the principle of least privilege that should govern all user interactions within the application.
The operational impact of this vulnerability is substantial and affects the confidentiality, integrity, and availability of user data within the Seerr ecosystem. An authenticated attacker can leverage this weakness to view, modify, or delete push notification subscriptions belonging to other users, potentially disrupting their media request workflows and gaining unauthorized access to their content preferences. This unauthorized data access could enable attackers to monitor other users' media consumption patterns, manipulate their request queues, or even disrupt their media server integration. The vulnerability is particularly concerning because it operates within the core functionality of the application's user management system, affecting the fundamental security model that protects individual user privacy and data sovereignty.
This vulnerability aligns with CWE-862, which describes "Missing Authorization" in software systems, where the application fails to properly enforce access control policies. The issue also relates to ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as it exploits legitimate user accounts to gain unauthorized access to other users' resources. The problem represents a classic case of insufficient authorization checks in multi-user applications, where the application fails to properly validate that the requesting user has appropriate permissions to access the target resource. Organizations using Seerr versions 2.7.0 through 3.0.9 should immediately implement mitigations, including immediate upgrade to version 3.1.0 or later, which contains the necessary authorization middleware implementation. Additionally, administrators should review existing user permissions and monitor for unauthorized access patterns in their application logs, as this vulnerability could potentially enable more sophisticated attacks if combined with other security weaknesses in the broader media server ecosystem.