CRITICAL🇵🇱 Wersja polska

CVE-2026-44183

CVSS 9.8v3.1pub. 2026-05-12upd. 2026-05-13

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled — X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.

🤖 AI Analysis
How it works

The TrustedNetworkAuthenticationHandler.ResolveClientIp component reads the client IP address from the leftmost (first) entry of the X-Forwarded-For header. However, this header is appended in an append-only manner, meaning the first value comes directly from the original HTTP client and is fully controlled by it. The attacker sends an HTTP request with a spoofed local IP value in the X-Forwarded-For header, causing the server to incorrectly treat the connection as originating from a trusted network. As a result, the attacker is treated as an authenticated Cleanuparr administrator without providing any credentials.

Impact

An unauthenticated remote attacker gains full administrative access to the Cleanuparr application, enabling them to take control of the configuration and operations managed by the tool, including Sonarr, Radarr, and connected download clients.

Mitigation & patch

Update Cleanuparr to version 2.9.10 or later, where the vulnerability has been patched. As a temporary workaround, it is recommended to restrict network access to the Cleanuparr instance only to trusted hosts at the firewall level.

Who is affected

Cleanuparr in versions prior to 2.9.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References