Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30975

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 3 weeks, 3 days ago

Sonarr Authentication Bypass vulnerability

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

References

https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r x_refsource_CONFIRM
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942 x_refsource_MISC
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944 x_refsource_MISC

Affected products

Sonarr

==< 4.0.16.2942

Matching in nixpkgs

pkgs.sonarr

Smart PVR for newsgroup and bittorrent users

nixos-unstable 4.0.16.2944
- nixpkgs-unstable 4.0.16.2944
- nixos-unstable-small 4.0.16.2944
nixos-25.11 4.0.16.2944
- nixos-25.11-small 4.0.16.2944
- nixpkgs-25.11-darwin 4.0.16.2944

pkgs.home-assistant-component-tests.sonarr

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.sonarr