cvedb.io
CVE-2026-27793
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-02-27T20:21:39.587 · Last modified 2026-06-17T10:27:41.540

Summary

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.

Affected products

seerr — seerr

Does this affect you?

Add your gear to cvedb and we'll alert you only when seerr ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.