Seerr is an open-source media request and discovery manager that integrates with media servers like Jellyfin, Plex, and Emby. Prior to version 3.1.0, the API endpoint GET /api/v1/user/:id returns the complete settings object for any user specified by the ID parameter. Critically, this response includes sensitive third-party API credentials such as those for Pushover, Pushbullet, and Telegram. The vulnerability arises because the endpoint does not enforce proper authorization checks to ensure that the requesting user has the right to access another user's settings. Instead, any authenticated user can retrieve this information for any user ID. This is classified as CWE-639: Authorization Bypass Through User-Controlled Key. Furthermore, when combined with CVE-2026-27707, which allows unauthenticated attackers to create accounts, an attacker can gain authenticated access with a new account and then exploit this authorization bypass to retrieve credentials of all users, including administrators. These credentials could be abused to intercept notifications or perform further attacks. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting high confidentiality impact but no impact on integrity or availability, and requires only low privileges and no user interaction. The issue was addressed in Seerr version 3.1.0 by implementing proper authorization checks and fixing the account creation flaw. No public exploits have been reported, but the vulnerability poses a significant risk to confidentiality if left unpatched.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive third-party API credentials belonging to all users of the affected Seerr instances. Attackers can leverage these credentials to intercept or manipulate notifications sent via Pushover, Pushbullet, and Telegram, potentially leading to further social engineering or lateral movement. The exposure of administrator credentials is particularly concerning as it could facilitate privilege escalation or compromise of administrative functions. Organizations relying on Seerr for media management risk data leakage and unauthorized access to integrated notification services. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can undermine trust and lead to secondary attacks. The combined zero-prior-access exploit chain increases the risk by allowing unauthenticated attackers to gain initial access and then escalate privileges. This threat is especially relevant for organizations with multiple users and administrators using Seerr versions prior to 3.1.0, as well as those integrating with the affected third-party notification services.

Organizations should immediately upgrade all Seerr deployments to version 3.1.0 or later, which contains fixes for both CVE-2026-27793 and CVE-2026-27707. Until upgrades are applied, restrict access to the Seerr API endpoints to trusted users and networks to reduce exposure. Conduct an audit of all user accounts and third-party API credentials stored within Seerr to identify potential compromise. Rotate all exposed Pushover, Pushbullet, and Telegram API keys and tokens to invalidate any leaked credentials. Implement network segmentation and monitoring to detect unusual access patterns or API calls indicative of exploitation attempts. Review and tighten authentication and authorization controls around user data access in custom integrations or deployments. Additionally, monitor official Seerr project communications for any further updates or patches. Employ logging and alerting on API access to detect unauthorized attempts to enumerate user data. Finally, educate users and administrators about the risks of credential exposure and encourage prompt reporting of suspicious activity.