CVE-2026-26069: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in thecfu scraparr
Scraparr is a Prometheus Exporter for various components of the *arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions are met, Readarr scraping feature was enabled and no alias configured, the exporter’s /metrics endpoint was accessible to external or unauthorized users, and the Readarr instance is externally accessible. If the /metrics endpoint was publicly accessible, the Readarr API key could have been disclosed via exported metrics data. This vulnerability is fixed in 3.0.2.
AI Analysis
Technical Summary
CVE-2026-26069 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Scraparr, a Prometheus exporter for the *arr suite of applications. Specifically, versions from 3.0.0-beta up to but not including 3.0.2 expose the configured Readarr API key as an alias metric label value when the Readarr integration is enabled and no alias is configured. This exposure occurs through the /metrics HTTP endpoint, which is designed to provide Prometheus with monitoring data. If this endpoint is accessible externally or to unauthorized users, and the Readarr instance itself is externally accessible, the API key can be extracted by attackers. The API key is a sensitive credential that could allow unauthorized access to the Readarr service, potentially leading to further compromise or data leakage. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (VC:H), with scope and integrity impacts limited. The vulnerability was published on February 12, 2026, and is fixed in Scraparr version 3.0.2. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a significant risk if Scraparr is deployed with Readarr integration enabled and the /metrics endpoint is exposed to unauthorized users. The disclosure of the Readarr API key can lead to unauthorized access to Readarr instances, potentially allowing attackers to manipulate media management workflows, access sensitive metadata, or pivot to other internal systems. This can result in confidentiality breaches and operational disruptions. Organizations using Scraparr in production environments, especially those exposing monitoring endpoints externally or lacking proper network segmentation, are at higher risk. The impact is amplified in environments where Readarr manages critical or sensitive content. Additionally, the exposure of API keys can facilitate further attacks or lateral movement within the network. Given the critical CVSS score of 9.1, the vulnerability demands immediate attention to prevent potential data breaches and service interruptions.
Mitigation Recommendations
European organizations should immediately upgrade Scraparr to version 3.0.2 or later, where the vulnerability is fixed. Until the upgrade is applied, organizations must restrict access to the /metrics endpoint by implementing network-level controls such as firewall rules or VPN access to ensure it is not accessible externally or to unauthorized users. Configuring an alias for the Readarr integration in Scraparr can also prevent the API key from being exposed as a metric label. Additionally, organizations should audit their Readarr instances to ensure they are not unnecessarily exposed to the internet and implement strong access controls and authentication mechanisms. Monitoring and logging access to the /metrics endpoint can help detect potential unauthorized access attempts. Finally, consider rotating the Readarr API keys if exposure is suspected or confirmed to limit the window of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Norway, Finland, Denmark
CVE-2026-26069: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in thecfu scraparr
Description
Scraparr is a Prometheus Exporter for various components of the *arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions are met, Readarr scraping feature was enabled and no alias configured, the exporter’s /metrics endpoint was accessible to external or unauthorized users, and the Readarr instance is externally accessible. If the /metrics endpoint was publicly accessible, the Readarr API key could have been disclosed via exported metrics data. This vulnerability is fixed in 3.0.2.
AI-Powered Analysis
Technical Analysis
CVE-2026-26069 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Scraparr, a Prometheus exporter for the *arr suite of applications. Specifically, versions from 3.0.0-beta up to but not including 3.0.2 expose the configured Readarr API key as an alias metric label value when the Readarr integration is enabled and no alias is configured. This exposure occurs through the /metrics HTTP endpoint, which is designed to provide Prometheus with monitoring data. If this endpoint is accessible externally or to unauthorized users, and the Readarr instance itself is externally accessible, the API key can be extracted by attackers. The API key is a sensitive credential that could allow unauthorized access to the Readarr service, potentially leading to further compromise or data leakage. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (VC:H), with scope and integrity impacts limited. The vulnerability was published on February 12, 2026, and is fixed in Scraparr version 3.0.2. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a significant risk if Scraparr is deployed with Readarr integration enabled and the /metrics endpoint is exposed to unauthorized users. The disclosure of the Readarr API key can lead to unauthorized access to Readarr instances, potentially allowing attackers to manipulate media management workflows, access sensitive metadata, or pivot to other internal systems. This can result in confidentiality breaches and operational disruptions. Organizations using Scraparr in production environments, especially those exposing monitoring endpoints externally or lacking proper network segmentation, are at higher risk. The impact is amplified in environments where Readarr manages critical or sensitive content. Additionally, the exposure of API keys can facilitate further attacks or lateral movement within the network. Given the critical CVSS score of 9.1, the vulnerability demands immediate attention to prevent potential data breaches and service interruptions.
Mitigation Recommendations
European organizations should immediately upgrade Scraparr to version 3.0.2 or later, where the vulnerability is fixed. Until the upgrade is applied, organizations must restrict access to the /metrics endpoint by implementing network-level controls such as firewall rules or VPN access to ensure it is not accessible externally or to unauthorized users. Configuring an alias for the Readarr integration in Scraparr can also prevent the API key from being exposed as a metric label. Additionally, organizations should audit their Readarr instances to ensure they are not unnecessarily exposed to the internet and implement strong access controls and authentication mechanisms. Monitoring and logging access to the /metrics endpoint can help detect potential unauthorized access attempts. Finally, consider rotating the Readarr API keys if exposure is suspected or confirmed to limit the window of exploitation.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-10T18:01:31.901Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 698e4ad9c9e1ff5ad81db30f
Added to database: 2/12/2026, 9:49:13 PM
Last enriched: 2/12/2026, 10:03:51 PM
Last updated: 2/13/2026, 2:45:04 PM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1619: CWE-639 Authorization Bypass Through User-Controlled Key in Universal Software Inc. FlexCity/Kiosk
HighCVE-2026-1618: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Universal Software Inc. FlexCity/Kiosk
HighCVE-2025-14349: CWE-267 Privilege Defined With Unsafe Actions in Universal Software Inc. FlexCity/Kiosk
HighCVE-2026-2443: Out-of-bounds Read in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2026-0872: CWE-295 Improper Certificate Validation in Thales SafeNet Agent for Windows Logon
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.