CVE-2026-30976
Published: 25 March 2026
Summary
CVE-2026-30976 is a high-severity Path Traversal (CWE-22) vulnerability in Sonarr Sonarr. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation of file path inputs to the Sonarr API, preventing access to arbitrary files outside the intended directory.
Enforces logical access controls to restrict API file serving to only the intended disk directory, addressing the lack of directory limitations in the vulnerable Sonarr versions.
Limits the Sonarr process privileges on Windows systems to the minimum necessary, reducing the scope of readable files even if path traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in exposed Sonarr instance enables remote unauthenticated exploitation of public-facing application (T1190); directly provides arbitrary file read access on the host, enabling data collection from local system (T1005) and retrieval of unsecured credentials from config files (T1552.001).
NVD Description
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys…
more
and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
Deeper analysisAI
CVE-2026-30976 is a path traversal vulnerability (CWE-22) in Sonarr, a PVR application for Usenet and BitTorrent users, affecting versions on the 4.x branch prior to 4.0.17.2950. The flaw occurs because files returned from the API are not restricted to the intended directory on disk, enabling an unauthenticated remote attacker to read any file accessible by the Sonarr process. This includes application configuration files containing API keys and database credentials, Windows system files, and any user-accessible files on the same drive. The issue is limited to Windows systems, with macOS and Linux unaffected.
An unauthenticated attacker with network access to a vulnerable Sonarr instance (CVSSv3.1 score of 8.6: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) can exploit this vulnerability remotely without privileges or user interaction. Successful exploitation grants high-impact confidentiality violations, allowing arbitrary file reads that could expose sensitive credentials, system information, or other data readable by the process, potentially leading to lateral movement or further compromise within the environment.
The Sonarr security advisory (GHSA-h393-v5hm-6h8f) and release notes detail patches in version 4.0.17.2950 for the nightly/develop branch and 4.0.17.2952 for stable/main releases. As a workaround, administrators should host Sonarr on a secure internal network and restrict external access via VPN, Tailscale, or similar solutions until patching is feasible.
Details
- CWE(s)