CVE-2026-27793 MEDIUM

CVE-2026-27793: Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials

Vendor Seerr-Team
Product seerr
Weakness CWE-639 · IDOR
Published February 27, 2026
Last update March 2, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 2, 2026 Record updated