Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Seerr API Exposes User Settings for Any User
CVE-2026-27793
Summary
Prior to version 3.1.0, Seerr's API revealed sensitive user settings, such as third-party service credentials, to any authenticated user. This could allow unauthorized access to user accounts. Update to version 3.1.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| seerr | seerr | <= 3.1.0 | – |
Original title
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, ...
Original description
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026