CVE-2026-27707
Published: 27 February 2026
Description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr…
more
account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Mitigating Controls (NIST 800-53 r5)AI
Requires robust identification and authentication for non-organizational users, directly preventing the authentication bypass flaw allowing registration via an attacker-controlled Jellyfin server.
Mandates management of accounts including approval processes for new account creation, blocking unauthorized Seerr account registration by unauthenticated attackers.
Enforces validation of information inputs from untrusted external sources like the Jellyfin server, mitigating reliance on untrusted data in authentication guard logic (CWE-807).
Security SummaryAI
CVE-2026-27707 is an authentication guard logic flaw in the `POST /api/v1/auth/jellyfin` endpoint of Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby. The vulnerability affects Seerr versions starting from 2.0.0 and prior to 3.1.0, but only Plex-configured instances meeting all three conditions: `settings.main.mediaServerType` set to `PLEX` (the most common deployment), `settings.jellyfin.ip` set to `""` (default, indicating no Jellyfin configuration), and `settings.main.newPlexLogin` set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-807 (Reliance on Untrusted Inputs in a Security Decision).
An unauthenticated network attacker can exploit this flaw by authenticating to the vulnerable Seerr instance using an attacker-controlled Jellyfin server. This allows the attacker to register a new Seerr account, obtaining an authenticated session with default permissions. With this access, the attacker can immediately use the application, including submitting media requests to integrated services like Radarr and Sonarr.
The issue is fixed in Seerr version 3.1.0, as detailed in the project's security advisory (GHSA-rc4w-7m3r-c2f7), release notes, and the fixing commit (4ae20684092b5b28527b23dfbc1a3417858fee8e). Security practitioners should upgrade to version 3.1.0 or later and verify the specified configuration settings to mitigate exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (Seerr API endpoint), directly enabling exploitation of a public-facing application for unauthenticated remote access and account registration.