Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.8

Seerr: Unauthenticated Account Registration on Plex Configured Instances

CVE-2026-27707
Summary

Seerr, a media management tool, has a security flaw that allows anyone to create an account on a Seerr-Plex setup without logging in. This only affects Seerr installations that use Plex and have specific default settings. To fix this, update to version 3.1.0 or change your settings to not use the default values.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
seerr seerr > 2.0.0 , <= 3.1.0 –
Original title
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/a...
Original description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
nvd CVSS3.1 9.8
Vulnerability type
CWE-288 Authentication Bypass Using Alternate Path
CWE-807
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026