Scan free
HIGHCVE-2026-30976CVSS 8.6

CVE-2026-30976: Path Traversal in Sonarr

Platform

windows

Component

sonarr

Fixed in

4.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-30976 describes a Path Traversal vulnerability discovered in Sonarr, a PVR (Personal Video Recorder) application. This vulnerability allows an unauthenticated remote attacker to potentially read any file accessible by the Sonarr process. The issue affects Sonarr versions 4.0 and above, excluding 4.0.17.2950, and has been patched in that version.

Impact and Attack Scenarios

The impact of this vulnerability is significant due to the potential for unauthorized access to sensitive information. An attacker could exploit this flaw to read application configuration files, which often contain API keys and database credentials. Compromise of these credentials could lead to complete control over the Sonarr instance and potentially the underlying system. Furthermore, the vulnerability allows access to Windows system files and any user-accessible files on the same drive as the Sonarr installation, significantly expanding the potential blast radius. This vulnerability highlights the importance of proper input validation and access controls, especially in applications handling user-provided data.

Exploitation Context

This vulnerability was publicly disclosed on March 25, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the ease of exploitation suggests that a PoC could emerge quickly. The vulnerability is specific to Windows systems, which may limit its overall exposure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N8.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentsonarr
VendorSonarr
Affected rangeFixed in
>= 4.0, < 4.0.17.2950 – >= 4.0, < 4.0.17.29504.0.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-30976 is to immediately upgrade Sonarr to version 4.0.17.2950 or later. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing path traversal attempts (e.g., ../ sequences). Restrict access to the Sonarr application to trusted networks and users. Regularly review Sonarr's configuration files and ensure they are stored with appropriate permissions to prevent unauthorized access. After upgrading, confirm the fix by attempting a path traversal request through the Sonarr API and verifying that access is denied.

How to fix

Update Sonarr to version 4.0.17.2950 or later. Alternatively, ensure that Sonarr is only accessible from a secure internal network and accessed via VPN, Tailscale or a similar solution outside that network.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-30976 — Path Traversal in Sonarr?

CVE-2026-30976 is a Path Traversal vulnerability in Sonarr versions 4.0 through 4.0.17.2949, allowing unauthorized file access.

Am I affected by CVE-2026-30976 in Sonarr?

You are affected if you are running Sonarr versions 4.0 and before 4.0.17.2950 on a Windows system.

How do I fix CVE-2026-30976 in Sonarr?

Upgrade Sonarr to version 4.0.17.2950 or later. Consider WAF rules as a temporary workaround.

Is CVE-2026-30976 being actively exploited?

There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation suggests potential for future attacks.

Where can I find the official Sonarr advisory for CVE-2026-30976?

Refer to the Sonarr blog and GitHub repository for official announcements and updates regarding this vulnerability.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs