📄 Description (English)
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
🤖 AI Executive Summary
CVE-2026-27792 is a missing authorization vulnerability in Seerr (versions 2.7.0 to 3.0.x) that allows authenticated users to access and modify other users' data through unprotected push subscription API routes. While the CVSS score is moderate (5.4), the vulnerability enables privilege escalation and data manipulation within media management systems. Organizations using Seerr should prioritize upgrading to version 3.1.0 or implementing compensating controls immediately.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 27, 2026 22:02
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using Seerr for media management in enterprise environments, particularly in: (1) Government agencies and ministries using Jellyfin/Plex for internal media distribution; (2) Educational institutions (universities, schools) managing educational content; (3) Healthcare facilities using media systems for training and patient education; (4) Large enterprises with internal media libraries. The risk is elevated in organizations with multi-user environments where data segregation is critical for compliance with NCA ECC 2024 and SAMA CSF requirements.
🏢 Affected Saudi Sectors
Government
Education
Healthcare
Enterprise/Large Organizations
Media and Broadcasting
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all instances of Seerr running versions 2.7.0 through 3.0.x in your environment
2. Restrict API access to push subscription endpoints using network-level controls (WAF/API gateway rules)
3. Implement IP whitelisting for API endpoints if possible
4. Review access logs for unauthorized API calls to /api/v1/user/*/pushSubscriptions endpoints
Patching Guidance:
1. Upgrade Seerr to version 3.1.0 or later immediately
2. Test the upgrade in a staging environment first
3. Verify that the isOwnProfileOrAdmin() middleware is properly enforced post-upgrade
Compensating Controls (if immediate patching not possible):
1. Implement reverse proxy authentication requiring additional verification for API calls
2. Deploy API gateway rules to block cross-user data access patterns
3. Enable detailed API logging and alerting for suspicious push subscription modifications
4. Restrict Seerr access to trusted internal networks only
Detection Rules:
1. Monitor for API requests to /api/v1/user/{userId}/pushSubscriptions where userId differs from authenticated user
2. Alert on multiple failed authorization attempts to subscription endpoints
3. Track modifications to push subscription settings by non-owner accounts
4. Log all API calls to subscription endpoints with user context for forensic analysis
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Seerr التي تعمل بالإصدارات 2.7.0 إلى 3.0.x في بيئتك
2. تقييد الوصول إلى API لنقاط نهاية الاشتراك في الدفع باستخدام عناصر التحكم على مستوى الشبكة (قواعد WAF/بوابة API)
3. تطبيق القائمة البيضاء للعناوين IP لنقاط نهاية API إن أمكن
4. مراجعة سجلات الوصول للاتصالات غير المصرح بها بنقاط نهاية /api/v1/user/*/pushSubscriptions
إرشادات التصحيح:
1. ترقية Seerr إلى الإصدار 3.1.0 أو أحدث فوراً
2. اختبار الترقية في بيئة التجريب أولاً
3. التحقق من أن middleware isOwnProfileOrAdmin() مفروضة بشكل صحيح بعد الترقية
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تطبيق مصادقة reverse proxy تتطلب تحقق إضافي لاستدعاءات API
2. نشر قواعد بوابة API لحظر أنماط الوصول إلى البيانات عبر المستخدمين
3. تفعيل تسجيل التنبيهات التفصيلية لـ API للتعديلات المريبة على الاشتراك في الدفع
4. تقييد الوصول إلى Seerr للشبكات الداخلية الموثوقة فقط
قواعد الكشف:
1. مراقبة طلبات API إلى /api/v1/user/{userId}/pushSubscriptions حيث يختلف userId عن المستخدم المصرح
2. التنبيه على محاولات التفويض الفاشلة المتعددة لنقاط نهاية الاشتراك
3. تتبع التعديلات على إعدادات الاشتراك في الدفع بواسطة حسابات غير المالك
4. تسجيل جميع استدعاءات API لنقاط نهاية الاشتراك مع سياق المستخدم للتحليل الجنائي
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights management
A.6.2.2 - Privileged access rights
A.9.2.1 - User access management
A.9.4.3 - Password management
A.10.1.1 - Cryptography policy
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🔵 SAMA CSF
ID.AC-1 - Access Control Policy
ID.AC-2 - Physical and Logical Access Controls
PR.AC-1 - Identities and Credentials
PR.AC-3 - Access Enforcement
PR.AC-4 - Access Rights Management
DE.AE-1 - Audit Logs
DE.CM-1 - System Monitoring
🟡 ISO 27001:2022
5.3 - Access Control
6.2 - Information and other assets
8.2 - Information security risk assessment
8.3 - Information security risk treatment
A.5.1.1 - Policies for information security
A.6.1.1 - Access control policy
A.6.2.1 - User registration and access rights
A.6.2.2 - Privileged access rights
A.8.1.1 - User endpoint devices
A.9.2.1 - User access management
A.12.4.1 - Event logging
🔗 References & Sources 3
🔗
🔗
🔗
https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1
security-advisories@github.com
https://github.com/seerr-team/seerr/releases/tag/v3.1.0
security-advisories@github.com
https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f
security-advisories@github.com