CVE-2026-30976 in Sonarr
Summary
by MITRE • 03/25/2026
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/01/2026
CVE-2026-30976 represents a critical directory traversal vulnerability affecting Sonarr versions in the 4.x branch prior to 4.0.17.2950. This flaw resides in the application's file serving mechanism on Windows systems, where the API endpoint fails to properly constrain file access to the intended directory structure. The vulnerability allows unauthenticated remote attackers to read any file that the Sonarr process has permission to access, creating a severe privilege escalation scenario. The affected Windows systems can potentially expose sensitive configuration files containing API keys, database credentials, and other confidential information, while also enabling access to system files and user data on the same storage volume. This issue specifically impacts Windows environments due to differences in how file system access controls and path resolution are handled compared to macOS and Linux platforms, making it a platform-specific vulnerability that aligns with CWE-22 (Improper Limiting of a Pathname to a Known Good Path) and CWE-73 (Restriction of Files with Dangerous Extensions) categories.
The technical exploitation of this vulnerability occurs through the Sonarr API's file serving functionality, where the application fails to validate or sanitize file paths before serving content to remote clients. Attackers can construct malicious requests that traverse directory structures beyond the intended boundaries, effectively bypassing access controls and gaining unauthorized access to sensitive data. The vulnerability's impact extends beyond simple information disclosure, as it could potentially allow attackers to extract database credentials and API keys that would enable further exploitation of the system. This type of vulnerability is classified under the MITRE ATT&CK framework as part of the Credential Access tactic, specifically targeting the T1552.001 subtechnique related to Unsecured Credentials, and could also contribute to the Initial Access phase if attackers use the extracted credentials to establish persistence or move laterally within the network. The flaw demonstrates a classic path traversal vulnerability where proper input validation and access control mechanisms were not properly implemented in the file serving code.
The operational impact of this vulnerability is significant for organizations running Sonarr on Windows systems, particularly those that expose the application directly to untrusted networks or the internet. The exposure of API keys and database credentials creates immediate risk for credential compromise, potentially allowing attackers to gain administrative access to Sonarr's configuration and data. Additionally, access to system files and user data on the same drive could lead to broader system compromise, depending on the permissions granted to the Sonarr process. The vulnerability affects Windows-specific installations, which means that organizations with mixed operating system environments may have varying levels of exposure, though the Windows installations remain particularly vulnerable. This vulnerability could be exploited by automated scanning tools or targeted attacks, making it a high-priority issue for organizations that have not yet patched their Sonarr installations.
The vulnerability has been addressed in Sonarr version 4.0.17.2950 for nightly/develop releases and 4.0.17.2952 for stable/main releases, which implement proper path validation and access control measures. These patches ensure that file serving operations are properly constrained to the intended directories and that all file paths are validated before being processed. Organizations should prioritize updating to these patched versions to remediate the vulnerability. In the interim, administrators can implement network-level mitigations such as restricting external access to Sonarr through firewalls, VPNs, or Tailscale connections to ensure that only trusted internal networks can reach the application. This approach aligns with security best practices for protecting services that handle sensitive data and demonstrates the importance of network segmentation and access control in mitigating the impact of such vulnerabilities. The workaround essentially reduces the attack surface by limiting direct internet exposure while the application remains vulnerable.