CVE-2026-26069 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Scraparr, a Prometheus exporter for the *arr suite of media management tools. Specifically, from versions 3.0.0-beta up to but not including 3.0.2, when the Readarr integration feature is enabled and no alias is configured, Scraparr exposes the configured Readarr API key as a label value in the exported Prometheus metrics. This exposure occurs via the /metrics HTTP endpoint, which is designed for monitoring but inadvertently leaks sensitive credentials if accessible externally or by unauthorized users. The vulnerability requires that the Readarr scraping feature is enabled, no alias is set, the /metrics endpoint is reachable by attackers, and the Readarr instance itself is externally accessible. The API key disclosure can lead to unauthorized access to Readarr’s API, enabling attackers to manipulate or extract data from the Readarr service. The vulnerability is remotely exploitable without authentication or user interaction, making it highly dangerous. The issue was addressed and fixed in Scraparr version 3.0.2. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial attack traceability (AT:P), no privileges required (PR:N), no user interaction (UI:N), high confidentiality impact (VC:H), no integrity or availability impact, and high scope impact (SI:H), with low security requirements (SA:L). No known exploits are reported in the wild as of now.

The primary impact of this vulnerability is the unauthorized disclosure of the Readarr API key, which is a sensitive credential granting access to Readarr’s API. An attacker obtaining this key can potentially perform unauthorized operations such as querying, modifying, or deleting data managed by Readarr, leading to data confidentiality breaches and operational disruptions. Since the API key is exposed via a monitoring endpoint, attackers can automate the extraction without needing authentication or user interaction, increasing the risk of widespread exploitation if the endpoint is publicly accessible. This can lead to lateral movement within networks, data leakage, and compromise of media management infrastructure. Organizations relying on Scraparr and Readarr for media automation and management may face operational downtime, loss of data integrity, and privacy violations. The critical CVSS score reflects the high severity and ease of exploitation. The scope of affected systems includes any deployments of Scraparr versions 3.0.0-beta to before 3.0.2 with Readarr integration enabled and improperly secured /metrics endpoints.

To mitigate this vulnerability, organizations should immediately upgrade Scraparr to version 3.0.2 or later where the issue is fixed. Until upgrading, restrict access to the /metrics endpoint by implementing network-level controls such as firewall rules, VPN access, or IP whitelisting to ensure it is not accessible externally or by unauthorized users. Configure an alias for the Readarr integration in Scraparr to avoid exposing the API key as a label value. Regularly audit and monitor access logs to detect any unauthorized access attempts to the /metrics endpoint. Rotate the Readarr API key if exposure is suspected or confirmed to prevent misuse. Employ network segmentation to isolate monitoring endpoints from public networks. Additionally, review and harden Readarr instance accessibility to prevent external exposure. Implement monitoring and alerting on unusual API activity to detect potential exploitation attempts early. Finally, educate administrators on secure configuration practices for monitoring tools and API integrations.