Description

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.

INFO

Published Date :

2026-02-27T19:29:18.768Z

Last Modified :

2026-02-27T20:22:24.091Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27707 vulnerability.

Vendors Products
Seerr
  • Seerr
Seerr-team
  • Seerr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27707.

URL Resource
https://github.com/seerr-team/seerr/commit/4ae20684092b5b28527b23dfbc1a3417858fee8e cve-icon cve-icon
https://github.com/seerr-team/seerr/releases/tag/v3.1.0 cve-icon cve-icon
https://github.com/seerr-team/seerr/security/advisories/GHSA-rc4w-7m3r-c2f7 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact