CVE-2026-30924 affects the 'qui' web interface component of autobrr, a management tool for qBittorrent instances. Versions 1.14.1 and earlier implement an overly permissive CORS policy that reflects the Origin header from incoming requests without validation and simultaneously sets Access-Control-Allow-Credentials to true. This combination violates secure CORS practices by allowing any external domain to perform cross-origin requests with credentials (cookies, HTTP authentication) included. An attacker can exploit this by luring an authenticated user to visit a malicious webpage that silently issues requests to the vulnerable qui interface. Because the victim's browser includes session credentials, the attacker-controlled page can perform actions on behalf of the user, such as retrieving sensitive information like API keys and account credentials. Furthermore, the attacker may leverage the External Programs manager feature within qui to execute arbitrary commands, potentially leading to full system compromise. Exploitation requires the victim to access the application through a hostname other than localhost and to interact with a malicious webpage, making social engineering the primary attack vector. At the time of disclosure, no patches or fixes were available, leaving users exposed. The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) and carries a CVSS 4.0 score of 9, indicating critical severity due to network exploitability, low attack complexity, and high impact on confidentiality, integrity, and availability.

This vulnerability poses a severe risk to organizations using autobrr's qui interface, especially those exposing the service on non-localhost hostnames accessible from user browsers. Successful exploitation can lead to unauthorized access to sensitive data including API keys and user credentials, enabling attackers to manipulate torrent management and potentially pivot to broader system compromise via the External Programs manager. The ability to execute arbitrary commands elevates the threat to full system takeover, risking data loss, service disruption, and lateral movement within networks. Since exploitation relies on social engineering, targeted attacks against high-value users or administrators are likely. Organizations with exposed qui interfaces in corporate or cloud environments face significant confidentiality, integrity, and availability impacts. The lack of available patches at disclosure increases the window of exposure, necessitating immediate mitigation to prevent exploitation.

1. Immediately restrict access to the qui web interface to trusted networks and localhost only, preventing exposure to external or untrusted origins. 2. Implement strict CORS policies that whitelist only specific, trusted origins and avoid reflecting arbitrary Origin headers. 3. Disable Access-Control-Allow-Credentials or ensure it is only set when the origin is verified and trusted. 4. Employ network-level controls such as firewalls or VPNs to limit access to the management interface. 5. Educate users about the risks of social engineering and the dangers of visiting untrusted websites while authenticated to sensitive services. 6. Monitor application logs for unusual cross-origin requests or suspicious activity indicative of exploitation attempts. 7. If possible, isolate the qui interface in a segmented environment with minimal privileges to reduce impact if compromised. 8. Track vendor communications for patches or updates and apply them promptly once available. 9. Consider implementing multi-factor authentication and session timeouts to reduce the risk of session hijacking. 10. Conduct regular security assessments and penetration testing focused on web interface vulnerabilities and CORS misconfigurations.