Seerr is an open-source media request and discovery manager supporting platforms like Jellyfin, Plex, and Emby. Versions prior to 3.1.0 contain an authorization bypass vulnerability identified as CVE-2026-27793, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability exists in the GET /api/v1/user/:id endpoint, which improperly returns the full settings object of any user to any authenticated requester, regardless of their privilege level. This settings object includes sensitive third-party API credentials for services such as Pushover, Pushbullet, and Telegram. The flaw allows an attacker with any authenticated account to access other users’ sensitive data. More critically, when combined with CVE-2026-27707, an unauthenticated account creation vulnerability in Seerr, attackers can create accounts without prior access and then exploit CVE-2026-27793 to retrieve credentials for all users, including administrators, resulting in a zero-prior-access attack chain. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity with high confidentiality impact but no integrity or availability impact. The attack vector is network-based with low attack complexity, requiring only low privileges and no user interaction. The vendor fixed both vulnerabilities in Seerr version 3.1.0. No known exploits are currently reported in the wild.

The primary impact of CVE-2026-27793 is the unauthorized disclosure of sensitive third-party API credentials belonging to all users of the Seerr platform, including administrators. Exposure of these credentials can lead to further compromise of integrated services such as Pushover, Pushbullet, and Telegram, potentially allowing attackers to send unauthorized notifications, intercept messages, or escalate privileges within those ecosystems. Organizations relying on Seerr for media management risk leakage of confidential user information and loss of trust. If combined with CVE-2026-27707, attackers can bypass authentication entirely, significantly increasing the attack surface and enabling large-scale credential theft without prior access. This can lead to lateral movement, privilege escalation, and broader compromise of connected infrastructure. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have cascading effects on organizational security posture and user privacy.

The most effective mitigation is to upgrade Seerr installations to version 3.1.0 or later, where the vulnerability is patched. Organizations should immediately audit their current Seerr version and plan urgent updates. Additionally, administrators should rotate all third-party API credentials (Pushover, Pushbullet, Telegram) used within Seerr to invalidate any potentially compromised tokens. Implement strict access controls and monitoring on the Seerr API endpoints to detect unusual access patterns or unauthorized requests. If upgrading is temporarily not possible, restrict network access to the Seerr API to trusted users only and consider implementing additional authentication layers or API gateways to enforce proper authorization. Regularly review user accounts for suspicious activity, especially newly created accounts that may exploit CVE-2026-27707. Finally, maintain an incident response plan to quickly address any detected compromise stemming from this vulnerability.