CVE Catalog

CVE-2026-44183

Critical
Published: Translated: NVD NIST

Summary

CVE-2026-44183 affects the Cleanuparr tool, which automates the cleanup of unwanted files in Sonarr, Radarr, and supported download clients. In versions prior to 2.9.10, an attacker could exploit the X-Forwarded-For header to spoof the client IP address, allowing unauthorized access to the administrator account.

Risk Assessment

Organizations using Cleanuparr may be at risk of unauthorized access to the administrator account, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to update Cleanuparr to version 2.9.10 or later to mitigate this vulnerability.

Original NVD description (English source)

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS