Seerr is an open-source media request and discovery manager designed to integrate with media servers like Jellyfin, Plex, and Emby. The vulnerability identified as CVE-2026-27792 is a missing authorization flaw classified under CWE-862. It affects Seerr versions starting from 2.7.0 up to but not including 3.1.0. The root cause is the absence of the isOwnProfileOrAdmin() middleware on several push subscription API endpoints, which are responsible for managing user-specific push notification subscriptions. Without this middleware, authenticated users can access and modify push subscription data belonging to other users, violating data confidentiality and integrity. The vulnerability requires authentication but no additional user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.4, reflecting a medium severity with low attack complexity and limited impact on confidentiality and integrity, and no impact on availability. The issue was publicly disclosed on February 27, 2026, and fixed in version 3.1.0 of Seerr. No known exploits are currently reported in the wild.

The vulnerability allows authenticated users to bypass authorization controls and access or modify other users' push subscription data. This can lead to unauthorized disclosure of user preferences and potentially manipulation of notification settings, which may cause confusion or denial of legitimate notifications. While it does not directly impact system availability, the breach of data integrity and confidentiality can undermine user trust and privacy. For organizations relying on Seerr for media management and user requests, this could result in unauthorized data exposure and potential misuse of user accounts. The scope is limited to authenticated users, which reduces the risk from external attackers but still poses a significant insider threat or risk from compromised accounts. The impact is primarily on confidentiality and integrity, with no direct availability impact.

The primary mitigation is to upgrade Seerr to version 3.1.0 or later, where the missing authorization checks are implemented. Until upgrade is possible, organizations should restrict access to the affected API endpoints by implementing additional access controls or network segmentation to limit authenticated user privileges. Conduct a thorough review of user roles and permissions to ensure least privilege principles are enforced. Monitoring and logging API access to detect anomalous behavior related to push subscription modifications is recommended. Additionally, consider implementing multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability. Regularly audit and validate authorization middleware coverage on all user-specific API routes to prevent similar issues.