Cyber Resilience

CVE-2026-27707

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0051 39.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27707 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Seerr Seerr. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-27707 is an authentication guard logic flaw in the `POST /api/v1/auth/jellyfin` endpoint of Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby. The vulnerability affects Seerr versions starting from 2.0.0 and prior to 3.1.0, but only Plex-configured instances meeting all three conditions: `settings.main.mediaServerType` set to `PLEX` (the most common deployment), `settings.jellyfin.ip` set to `""` (default, indicating no Jellyfin configuration), and `settings.main.newPlexLogin` set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-807 (Reliance on Untrusted Inputs in a Security Decision).

An unauthenticated network attacker can exploit this flaw by authenticating to the vulnerable Seerr instance using an attacker-controlled Jellyfin server. This allows the attacker to register a new Seerr account, obtaining an authenticated session with default permissions. With this access, the attacker can immediately use the application, including submitting media requests to integrated services like Radarr and Sonarr.

The issue is fixed in Seerr version 3.1.0, as detailed in the project's security advisory (GHSA-rc4w-7m3r-c2f7), release notes, and the fixing commit (4ae20684092b5b28527b23dfbc1a3417858fee8e). Security practitioners should upgrade to version 3.1.0 or later and verify the specified configuration settings to mitigate exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr…

more

account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (Seerr API endpoint), directly enabling exploitation of a public-facing application for unauthenticated remote access and account registration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

seerr
seerr
2.0.0 — 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires robust identification and authentication for non-organizational users, directly preventing the authentication bypass flaw allowing registration via an attacker-controlled Jellyfin server.

prevent

Mandates management of accounts including approval processes for new account creation, blocking unauthorized Seerr account registration by unauthenticated attackers.

prevent

Enforces validation of information inputs from untrusted external sources like the Jellyfin server, mitigating reliance on untrusted data in authentication guard logic (CWE-807).

References