CVE-2026-30975

HIGH 8.1

Sonarr Authentication Bypass vulnerability

CVSS Score

8.1

EPSS Score

0.1%

EPSS Percentile

17th

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

CWE	CWE-290
Vendor	sonarr
Product	sonarr
Published	Mar 25, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for sonarr sonarr

Be the first to know when new high vulnerabilities affecting sonarr sonarr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Sonarr / Sonarr

< 4.0.16.2942

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r github.com: https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942 github.com: https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944