SecuriTricks - CVE-2026-44183

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Product(s) Impacted

Vendor	Product	Versions
*	Cleanuparr Sonarr Radarr	<2.9.10 * *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-290

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware
a	/	cleanuparr	<2.9.10	/	/	/	/	/	/
a	/	sonarr	/	/	/	/	/	/	/
a	/	radarr	/	/	/	/	/	/	/

References

https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-8q44-v65j-jc3q

CVSS Score

9.8 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: May 12, 2026, 6:17 p.m.
Last Modified: May 13, 2026, 5:31 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-44183