CVE-2026-30975
Published: 25 March 2026
Summary
CVE-2026-30975 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Sonarr Sonarr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates authentication bypass by requiring identification and limitation of actions permitted without identification or authentication, addressing Sonarr configurations disabling local authentication.
Ensures secure configuration settings like enabling Sonarr's 'Authentication Required' option, preventing exploitation in deployments without reverse proxies.
Mandates timely flaw remediation through application of vendor patches in Sonarr versions 4.0.16.2942 and 4.0.16.2944, eliminating the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass (CWE-290) in network-accessible Sonarr web app directly enables remote exploitation of a public-facing application without credentials when misconfigured.
NVD Description
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running…
more
in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.
Deeper analysisAI
CVE-2026-30975 is an authentication bypass vulnerability (CWE-290) affecting Sonarr, a PVR application for Usenet and BitTorrent users. It impacts versions prior to 4.0.16.2942, specifically configurations where authentication is disabled for local addresses (set to "Disabled for Local Addresses") and no reverse proxy is in place that blocks invalid headers. Published on 2026-03-25, the flaw has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility and potential for significant confidentiality and integrity impacts.
An attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it necessitates user interaction. The bypass occurs when an invalid header is passed through to Sonarr in the affected configurations, allowing unauthorized access. Successful exploitation enables high-impact confidentiality breaches, such as reading sensitive data, and integrity violations, like modifying configurations or content, without affecting availability.
Patches are available in Sonarr version 4.0.16.2942 for the nightly/develop branch and 4.0.16.2944 for stable/main releases, as detailed in the project's GitHub release notes and security advisory (GHSA-h5qx-5hjf-7c9r). Advisories recommend mitigations including enabling Sonarr's "Authentication Required" setting, deploying a reverse proxy that strips invalid headers, avoiding direct internet exposure, and accessing the service via VPN, Tailscale, or similar secure tunnels.
Details
- CWE(s)