HIGHCVE-2026-30976CVSS 8.6

CVE-2026-30976: Path Traversal in Sonarr

Q: What is CVE-2026-30976 — Path Traversal in Sonarr?

CVE-2026-30976 is a Path Traversal vulnerability in Sonarr versions 4.0 through 4.0.17.2949, allowing unauthorized file access.

Q: Am I affected by CVE-2026-30976 in Sonarr?

You are affected if you are running Sonarr versions 4.0 and before 4.0.17.2950 on a Windows system.

Q: How do I fix CVE-2026-30976 in Sonarr?

Upgrade Sonarr to version 4.0.17.2950 or later. Consider WAF rules as a temporary workaround.

Q: Is CVE-2026-30976 being actively exploited?

There is currently no confirmed active exploitation, but the vulnerability's ease of exploitation suggests potential for future attacks.

Q: Where can I find the official Sonarr advisory for CVE-2026-30976?

Refer to the Sonarr blog and GitHub repository for official announcements and updates regarding this vulnerability.

Platform

windows

Component

sonarr

Fixed in

4.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-30976 describes a Path Traversal vulnerability discovered in Sonarr, a PVR (Personal Video Recorder) application. This vulnerability allows an unauthenticated remote attacker to potentially read any file accessible by the Sonarr process. The issue affects Sonarr versions 4.0 and above, excluding 4.0.17.2950, and has been patched in that version.

Impact and Attack Scenarios

The impact of this vulnerability is significant due to the potential for unauthorized access to sensitive information. An attacker could exploit this flaw to read application configuration files, which often contain API keys and database credentials. Compromise of these credentials could lead to complete control over the Sonarr instance and potentially the underlying system. Furthermore, the vulnerability allows access to Windows system files and any user-accessible files on the same drive as the Sonarr installation, significantly expanding the potential blast radius. This vulnerability highlights the importance of proper input validation and access controls, especially in applications handling user-provided data.

Exploitation Context

This vulnerability was publicly disclosed on March 25, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the ease of exploitation suggests that a PoC could emerge quickly. The vulnerability is specific to Windows systems, which may limit its overall exposure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impact

Affected Software

Componentsonarr

VendorSonarr

Affected rangeFixed in

>= 4.0, < 4.0.17.2950 – >= 4.0, < 4.0.17.29504.0.1

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-03-07
Published2026-03-25
Modified2026-03-26
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2026-30976 is to immediately upgrade Sonarr to version 4.0.17.2950 or later. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing path traversal attempts (e.g., ../ sequences). Restrict access to the Sonarr application to trusted networks and users. Regularly review Sonarr's configuration files and ensure they are stored with appropriate permissions to prevent unauthorized access. After upgrading, confirm the fix by attempting a path traversal request through the Sonarr API and verifying that access is denied.

How to fix

Update Sonarr to version 4.0.17.2950 or later. Alternatively, ensure that Sonarr is only accessible from a secure internal network and accessed via VPN, Tailscale or a similar solution outside that network.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-30976 — Path Traversal in Sonarr?