CVE-2026-32702

UNKNOWN 0.0

Cleanuparr has Username Enumeration via Timing Attack

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.

CWE	CWE-208
Vendor	cleanuparr
Product	cleanuparr
Published	Mar 13, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for cleanuparr cleanuparr

Be the first to know when new unknown vulnerabilities affecting cleanuparr cleanuparr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Cleanuparr / Cleanuparr

>= 2.7.0, <= 2.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-gjmf-m27r-2c9v