Sonarr unauthenticated file read (CVE-2026-30976)

Overview

A significant security vulnerability, tracked as CVE-2026-30976, has been identified in Sonarr, a popular PVR (Personal Video Recorder) application for Usenet and BitTorrent users. This flaw is a path traversal vulnerability that affects Windows installations of Sonarr.

Vulnerability Details

In simple terms, this vulnerability is a path traversal flaw. The Sonarr application’s API, which is designed to serve specific files from a controlled directory, did not properly validate file paths. On affected Windows systems, this allowed an unauthenticated remote attacker to craft requests that could read files from anywhere on the same drive that the Sonarr process has permission to access, not just from its intended directory.

This issue specifically impacts versions on the 4.x branch prior to 4.0.17.2950 (nightly/develop) or 4.0.17.2952 (stable/main). macOS and Linux systems are not affected.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 8.6, HIGH). An attacker exploiting this flaw could read sensitive files without requiring any authentication. This includes:

• Application configuration files, potentially containing API keys, database credentials, and other secrets.
• Windows system files.
• Any user-accessible files on the same drive, leading to significant data exposure.

Compromised API keys or credentials could allow an attacker to take over the Sonarr instance, access connected services, or pivot to other systems on the network. This type of flaw is attractive to threat actors, as seen in campaigns like the Storm-2561 SEO poisoning operation which also aims to steal credentials.

Remediation and Mitigation

The primary and most critical action is to update Sonarr immediately.

1. Apply the Patch Update your Sonarr installation to version 4.0.17.2952 (stable) or 4.0.17.2950 (nightly/develop) or any later version. This update contains the fix that properly restricts file access to the intended directory.

2. Immediate Workaround (If Patching is Delayed) If you cannot patch immediately, you must ensure Sonarr is not directly accessible from the internet. Restrict access by:

• Hosting Sonarr on a secure internal network only.
• Using a VPN, Tailscale, or a similar secure tunneling solution for any remote access.
• Ensuring firewall rules block external access to Sonarr’s web interface port (default: 8989).

3. General Security Posture This incident underscores the importance of keeping all software updated, not just core operating systems. Similar to applying critical updates for Linux kernel security or browser engines, promptly applying patches to ancillary applications is crucial for maintaining a strong security defense.