{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sonarr/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sonarr"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-30976","sonarr","file-read","windows"],"_cs_type":"advisory","_cs_vendors":["Sonarr"],"content_html":"\u003cp\u003eCVE-2026-30976 is a critical unauthenticated remote file read vulnerability affecting Sonarr, a PVR for Usenet and BitTorrent users. This vulnerability exists in the 4.x branch of Sonarr prior to version 4.0.17.2950. An unauthenticated attacker can exploit this flaw to read any file accessible by the Sonarr process, including sensitive application configuration files containing API keys and database credentials, as well as Windows system files and user-accessible data. This vulnerability is specific to Windows installations of Sonarr; macOS and Linux systems are not affected. The issue stems from insufficient validation of file paths, allowing attackers to traverse directories and access unauthorized files. The vulnerability has been patched in version 4.0.17.2950 (nightly/develop branch) and 4.0.17.2952 (stable/main releases).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Sonarr instance running on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the Sonarr server, exploiting the file path traversal vulnerability. The request targets a specific file, such as \u003ccode\u003eC:\\\\Windows\\\\win.ini\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSonarr processes the malicious HTTP request without proper validation of the file path.\u003c/li\u003e\n\u003cli\u003eThe Sonarr process reads the contents of the requested file (e.g., \u003ccode\u003eC:\\\\Windows\\\\win.ini\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe file contents are returned to the attacker in the HTTP response body.\u003c/li\u003e\n\u003cli\u003eThe attacker can then retrieve sensitive information such as API keys, database credentials from configuration files, or even access operating system files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted API keys or database credentials for further malicious activities, such as unauthorized access to connected services or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-30976 can lead to complete compromise of the Sonarr instance and potentially the underlying Windows system. An attacker could gain access to sensitive API keys, database credentials, and other confidential information, enabling them to perform unauthorized actions or steal valuable data. Given that Sonarr is often used to manage media libraries, the vulnerability could also expose users' personal files. The number of affected Sonarr installations is unknown, but the impact is high due to the sensitive nature of the exposed data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Sonarr to version 4.0.17.2950 (nightly/develop) or 4.0.17.2952 (stable/main) to patch CVE-2026-30976.\u003c/li\u003e\n\u003cli\u003eEnable logging for the webserver component of Sonarr and deploy the Sigma rule \u003ccode\u003eSonarr CVE-2026-30976 File Read Attempt\u003c/code\u003e to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, restrict access to the Sonarr web interface to a secure internal network and use a VPN or similar solution for external access as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from the Sonarr server that might indicate unauthorized data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:00:00Z","date_published":"2024-01-09T16:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-sonarr-file-read/","summary":"CVE-2026-30976 allows an unauthenticated remote attacker to read arbitrary files readable by the Sonarr process on Windows systems running vulnerable versions prior to 4.0.17.2950, potentially exposing sensitive data.","title":"Unauthenticated Remote File Read Vulnerability in Sonarr (CVE-2026-30976)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-sonarr-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed - Sonarr","version":"https://jsonfeed.org/version/1.1"}