Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-27793

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.

References

https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp x_refsource_CONFIRM
https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303 x_refsource_MISC
https://github.com/seerr-team/seerr/releases/tag/v3.1.0 x_refsource_MISC

Affected products

seerr

==< 3.1.0

Matching in nixpkgs

pkgs.overseerr

Request management and media discovery tool for the Plex ecosystem

nixos-unstable 1.34.0
- nixpkgs-unstable 1.34.0
- nixos-unstable-small 1.34.0
nixos-25.11 1.34.0
- nixos-25.11-small 1.34.0
- nixpkgs-25.11-darwin 1.34.0

pkgs.jellyseerr

Fork of overseerr for jellyfin support

nixos-unstable 2.7.3
- nixpkgs-unstable 2.7.3
- nixos-unstable-small 2.7.3
nixos-25.11 2.7.3
- nixos-25.11-small 2.7.3
- nixpkgs-25.11-darwin 2.7.3

pkgs.python312Packages.python-overseerr

Client for Overseerr

nixos-25.11 0.7.1
- nixos-25.11-small 0.7.1
- nixpkgs-25.11-darwin 0.7.1

pkgs.python313Packages.python-overseerr

Client for Overseerr

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-25.11 0.7.1
- nixos-25.11-small 0.7.1
- nixpkgs-25.11-darwin 0.7.1

pkgs.python314Packages.python-overseerr

Client for Overseerr

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0

pkgs.home-assistant-component-tests.overseerr

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.overseerr

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@camillemndn Camille M. <camillemondon@free.fr>
@jf-uu jf-uu