Cyber Posture

CVE-2026-44183

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44183 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)
addresses: CWE-290 CWE-348

Directly counters DNS response spoofing by requiring cryptographic origin authentication before trusting resolved names/addresses.

AC-9 Previous Logon Notification
addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

AT-2 Literacy Training and Awareness
addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

IA-12 Identity Proofing
addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

IA-3 Device Identification and Authentication
addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

IA-8 Identification and Authentication (Non-organizational Users)
addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

IA-9 Service Identification and Authentication
addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

SC-11 Trusted Path
addresses: CWE-290

Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.

NVD Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry…

more

is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-290CWE-348

CVEs Like This One

CVE-2025-54576Shared CWE-290
CVE-2026-21862Shared CWE-290
CVE-2024-1524Shared CWE-290
CVE-2026-22734Shared CWE-290
CVE-2026-2800Shared CWE-290
CVE-2026-6762Shared CWE-290
CVE-2018-25316Shared CWE-290
CVE-2026-45223Shared CWE-290
CVE-2026-33131Shared CWE-290
CVE-2025-24458Shared CWE-290

References