Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.
The TrustedNetworkAuthenticationHandler.ResolveClientIp component reads the client IP address from the leftmost (first) entry of the X-Forwarded-For header. However, this header is appended in an append-only manner, meaning the first value comes directly from the original HTTP client and is fully controlled by it. The attacker sends an HTTP request with a spoofed local IP value in the X-Forwarded-For header, causing the server to incorrectly treat the connection as originating from a trusted network. As a result, the attacker is treated as an authenticated Cleanuparr administrator without providing any credentials.
An unauthenticated remote attacker gains full administrative access to the Cleanuparr application, enabling them to take control of the configuration and operations managed by the tool, including Sonarr, Radarr, and connected download clients.
Update Cleanuparr to version 2.9.10 or later, where the vulnerability has been patched. As a temporary workaround, it is recommended to restrict network access to the Cleanuparr instance only to trusted hosts at the firewall level.
Cleanuparr in versions prior to 2.9.10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H