CVE-2026-32702 in Cleanuparr
Summary
by MITRE • 03/16/2026
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-32702 affects Cleanuparr, a utility designed to automate file cleanup operations within media management systems such as Sonarr and Radarr. This tool integrates with download clients including qBittorrent to streamline the removal of unwanted or blocked files from these platforms. The security flaw manifests specifically within the authentication mechanism of Cleanuparr versions 2.7.0 through 2.8.0, creating a significant exposure that impacts the system's ability to maintain secure access controls. The vulnerability represents a critical weakness in the application's authentication flow that directly undermines the security model intended to protect these media management environments.
The technical implementation of this vulnerability stems from a flawed logic pattern within the /api/auth/login endpoint's password verification process. During authentication attempts, the application's VerifyPassword function executes a hashing operation that by design consumes considerable processing time to resist brute force attacks. However, the developers implemented early return conditions or short-circuit evaluations that occur before the computationally expensive hashing function executes. This architectural decision creates measurable timing differences in response times between requests for valid versus invalid usernames. When an attacker submits a login request, the system's response time varies predictably based on whether the username exists in the system, as valid usernames proceed through the full authentication path including the time-consuming hash computation while invalid usernames are rejected more quickly.
This timing-based username enumeration attack creates a direct pathway for unauthorized actors to systematically identify valid user accounts within the Cleanuparr system. The differential response times, typically measured in milliseconds, provide attackers with sufficient data to distinguish between legitimate and non-existent accounts through repeated testing. The vulnerability operates at the application layer and requires no prior authentication credentials to exploit, making it particularly dangerous as it can be leveraged remotely without establishing a presence within the target network. The flaw specifically aligns with CWE-203, which catalogs weaknesses related to information exposure through timing variations, and represents a classic example of a timing side-channel attack that can be weaponized for account enumeration and subsequent credential compromise attempts.
The operational impact of this vulnerability extends beyond simple account enumeration, as it creates a foundation for more sophisticated attacks against the Cleanuparr system and potentially the broader media management infrastructure it supports. Once valid usernames are identified, attackers can proceed with targeted password guessing or brute force attempts against these known accounts, significantly reducing the search space for successful credential compromise. The vulnerability also impacts the integrity of the authentication system by exposing information that should remain confidential during the login process. Organizations relying on Cleanuparr for automated file management within their Sonarr and Radarr environments face increased risk of unauthorized access to their media libraries and download operations, potentially leading to data exposure or system manipulation. This weakness particularly affects environments where Cleanuparr operates as an intermediary between media management systems and download clients, creating an additional attack surface that could be exploited to gain unauthorized control over automated media processing workflows.
The remediation for this vulnerability requires implementing a constant-time password verification approach that ensures all authentication attempts take approximately equal time regardless of whether the username exists in the system. The fix implemented in Cleanuparr version 2.8.1 addresses this by removing the early return conditions that enabled the timing differential, ensuring that the computationally expensive hashing function executes consistently for all authentication attempts. This approach aligns with established security practices that prevent timing side-channel attacks by maintaining constant execution paths and eliminating information leakage through response time variations. Organizations should immediately upgrade to version 2.8.1 or later to mitigate this vulnerability, while also implementing monitoring for potential exploitation attempts that may have occurred prior to the patch release. The remediation process should include reviewing existing authentication logs for signs of username enumeration attempts and implementing additional security controls such as rate limiting and account lockout mechanisms to further protect against exploitation attempts.