Seerr is an open-source media request and discovery manager integrating with media servers like Jellyfin, Plex, and Emby. The vulnerability CVE-2026-27707 arises from an authentication guard logic flaw in the POST /api/v1/auth/jellyfin endpoint. Specifically, when Seerr is configured to use Plex as its media server type (settings.main.mediaServerType = PLEX), with Jellyfin IP unset (settings.jellyfin.ip = ""), and new Plex login enabled (settings.main.newPlexLogin = true), an attacker can bypass authentication. The attacker sets up a malicious Jellyfin server and tricks Seerr into authenticating against it, allowing the attacker to register a new Seerr account without valid credentials. This results in an authenticated session with default user permissions, permitting the attacker to interact with the application, including submitting media requests to Radarr and Sonarr. The flaw is due to improper validation of the authentication source and failure to enforce correct authentication channels. The vulnerability affects all Seerr versions from 2.0.0 up to 3.1.0 and is fixed in version 3.1.0. The CVSS 3.1 score of 7.3 indicates a high-severity issue exploitable remotely without authentication or user interaction, impacting confidentiality, integrity, and availability of the system. No public exploits have been reported yet, but the ease of exploitation and potential impact warrant prompt remediation.

Organizations running Seerr versions between 2.0.0 and 3.0.x with Plex configured and default Jellyfin settings are at risk of unauthorized access. An attacker can gain authenticated sessions without credentials, potentially leading to unauthorized media requests and manipulation of integrated services like Radarr and Sonarr. This could result in resource misuse, exposure of media request data, and disruption of media management workflows. While the default permissions limit the attacker's capabilities, the breach of authentication undermines system integrity and confidentiality. Additionally, attackers could use this foothold to pivot within the network or escalate privileges if other vulnerabilities exist. Media server environments in home, small business, or community settings relying on Seerr for media management are particularly vulnerable. The vulnerability does not require user interaction and can be exploited remotely, increasing the risk of widespread attacks if unpatched.

Upgrade Seerr to version 3.1.0 or later, where this authentication bypass vulnerability is fixed. For environments where immediate upgrade is not feasible, administrators should disable the new Plex login feature (settings.main.newPlexLogin = false) to prevent the vulnerable authentication path. Additionally, explicitly configure the Jellyfin IP setting (settings.jellyfin.ip) to a valid, trusted address rather than leaving it blank to avoid fallback to insecure defaults. Network-level controls should restrict access to the Seerr API endpoints, allowing only trusted clients and servers. Monitoring and logging authentication attempts to detect unusual or unauthorized registrations can help identify exploitation attempts. Finally, review and harden integration points with Radarr and Sonarr to limit the impact of unauthorized requests, including applying least privilege principles and validating incoming requests.