Vulnerability Description
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sonarr | Sonarr | >= 4.0.0.741, < 4.0.17.2950 |
Related Weaknesses (CWE)
References
- https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2950Release Notes
- https://github.com/Sonarr/Sonarr/releases/tag/v4.0.17.2952Release Notes
- https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h393-v5hm-6h8fVendor Advisory
FAQ
What is CVE-2026-30976?
CVE-2026-30976 is a vulnerability with a CVSS score of 8.6 (HIGH). Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. Th...
How severe is CVE-2026-30976?
CVE-2026-30976 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30976?
Check the references section above for vendor advisories and patch information. Affected products include: Sonarr Sonarr.