{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30976", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.816Z", "datePublished": "2026-03-25T21:11:20.078Z", "dateUpdated": "2026-03-26T17:53:31.620Z"}, "containers": {"cna": {"title": "Sonarr Path Traversal vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950"}, {"name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952", "tags": ["x_refsource_MISC"], "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952"}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"version": ">= 4.0, < 4.0.17.2950", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:11:20.078Z"}, "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network."}], "source": {"advisory": "GHSA-h393-v5hm-6h8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:53:23.067175Z", "id": "CVE-2026-30976", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:53:31.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:53:23.067175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:53:27.423Z"}}], "cna": {"title": "Sonarr Path Traversal vulnerability", "source": {"advisory": "GHSA-h393-v5hm-6h8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Sonarr", "product": "Sonarr", "versions": [{"status": "affected", "version": ">= 4.0, < 4.0.17.2950"}]}], "references": [{"url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f", "name": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952", "name": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T21:11:20.078Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30976", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:53:31.620Z", "dateReserved": "2026-03-07T17:53:48.816Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T21:11:20.078Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network."}], "id": "CVE-2026-30976", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T21:16:41.623", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950"}, {"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952"}, {"source": "security-advisories@github.com", "url": "https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0,4.0.17.2950)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sonarr", "source": "cna", "vendor": "Sonarr"}, "product": "sonarr", "vendor": "sonarr"}], "analysis": {"en": {"generated_at": "2026-03-25T22:36:26.521560+00:00", "value": {"mitigation_remediation": ["Upgrade Sonarr to version 4.0.17.2950 or newer; for stable releases apply 4.0.17.2952.", "If upgrading is not immediately feasible, restrict Sonarr to a secure internal network and access it only through VPN or similar solutions such as Tailscale to prevent external attackers from reaching the vulnerable API endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized file access and confidentiality breach"}, "threat_synthesis": {"affected_systems": "Affects the Windows installation of Sonarr on the 4.x branch prior to version 4.0.17.2950. MacOS and Linux versions are not affected. The flaw is present in the unstable nightly/develop branch and is also patched in the stable release line at version 4.0.17.2952.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to read any file that the Sonarr process can access, including configuration files that store API keys and database credentials. This path traversal flaw falls under the Common Weakness Enumeration identifier CWE-22 and enables the attacker to compromise sensitive information without authorization. The resulting impact is a loss of confidentiality, potentially leading to wider system compromise if credentials are exfiltrated.", "risk_and_exploitability": "The CVSS score of 8.6 signals a high severity risk. EPSS data is not available, but because the flaw can be triggered via an unauthenticated HTTP request to the Sonarr API, exploitation is straightforward for attackers with network reach to the service. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting no documented public exploits yet, yet the potential for automated exploitation remains significant."}}}}, "created": "2026-03-26T11:31:27.283916+00:00", "updated": "2026-03-26T12:09:30.411350+00:00", "vendors": ["sonarr", "sonarr$PRODUCT$sonarr"]}