The vulnerability CVE-2026-30924 affects 'qui', a web interface component of autobrr used to manage qBittorrent instances. Versions 1.14.1 and earlier implement a Cross-Origin Resource Sharing (CORS) policy that is overly permissive: it reflects arbitrary origins in the Access-Control-Allow-Origin header while simultaneously returning Access-Control-Allow-Credentials: true. This combination violates secure CORS practices because it allows any external domain to send authenticated requests using the victim's session cookies or credentials, effectively bypassing same-origin policy protections. An attacker can exploit this by tricking a logged-in user into visiting a malicious webpage that silently issues requests to the 'qui' interface, leveraging the victim's authenticated session. Potential impacts include exfiltration of sensitive information such as API keys and account credentials. More critically, the attacker can leverage the built-in External Programs manager to execute arbitrary commands, potentially leading to full system compromise. Exploitation requires that the victim accesses the application via a hostname other than localhost and interacts with a malicious webpage, making social engineering a key component of the attack vector. At the time of disclosure, no patch or fix was available, increasing the urgency for mitigation. The CVSS 4.0 base score of 9.0 reflects the critical nature of this vulnerability, with network attack vector, low complexity, partial attack prerequisites, user interaction required, and high impact on confidentiality, integrity, and availability.

This vulnerability poses a severe risk to organizations using autobrr's 'qui' interface for managing qBittorrent instances. Successful exploitation can lead to unauthorized access to sensitive data including API keys and user credentials, which may be used to pivot to other systems or escalate privileges. The ability to execute arbitrary commands via the External Programs manager can result in full system compromise, data loss, service disruption, or lateral movement within the network. Because the attack requires user interaction and access via a non-localhost hostname, it is particularly dangerous in environments where 'qui' is exposed to internal networks or the internet. The impact extends beyond confidentiality breaches to integrity and availability, potentially disrupting critical file-sharing or automation workflows. Organizations relying on 'qui' for torrent management in enterprise or personal environments face risks of data theft, operational disruption, and reputational damage if exploited.

To mitigate this vulnerability, organizations should immediately restrict access to the 'qui' interface to localhost or trusted internal networks using firewall rules or network segmentation to prevent exposure to untrusted origins. Disable or properly configure CORS policies to avoid reflecting arbitrary origins and ensure Access-Control-Allow-Credentials is only set when origins are explicitly validated. Employ web application firewalls (WAFs) to detect and block suspicious cross-origin requests targeting 'qui'. Educate users to avoid visiting untrusted or attacker-controlled websites while logged into 'qui'. If possible, disable or restrict the External Programs manager functionality to limit the potential for command execution. Monitor network and application logs for unusual activity indicative of exploitation attempts. Until an official patch is released, consider deploying reverse proxies or API gateways that enforce strict origin validation and credential handling. Regularly check for updates from the vendor and apply patches promptly once available.