Description

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

INFO

Published Date :

2026-03-25T21:08:15.426Z

Last Modified :

2026-03-26T15:23:38.612Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30975 vulnerability.

Vendors Products
Sonarr
  • Sonarr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30975.

URL Resource
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942 cve-icon cve-icon
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944 cve-icon cve-icon
https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact