📄 Description (English)
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.
🤖 AI Executive Summary
Seerr versions prior to 3.1.0 contain an information disclosure vulnerability allowing authenticated users to retrieve sensitive third-party API credentials (Pushover, Pushbullet, Telegram) for any user via the GET /api/v1/user/:id endpoint. When combined with CVE-2026-27707 (unauthenticated account creation), this creates a zero-prior-access attack chain exposing administrator credentials. The vulnerability affects media management deployments used in enterprise environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 12, 2026 22:03
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Seerr for media management (particularly in government IT departments, educational institutions, and enterprise media centers) face credential exposure risks. The vulnerability is particularly critical for ARAMCO and other energy sector IT operations that may use Jellyfin/Plex infrastructure for internal media distribution. Government agencies under NCA oversight and SAMA-regulated financial institutions using media management systems are at risk of administrative credential compromise. Telecom operators (STC, Mobily, Zain) managing internal media platforms could expose notification service credentials used for critical alerts.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Energy (ARAMCO)
Telecommunications (STC, Mobily, Zain)
Healthcare
Education
Enterprise IT Operations
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade Seerr to version 3.1.0 or later immediately
2. If upgrade is not immediately possible, disable the GET /api/v1/user/:id endpoint or restrict access via reverse proxy/WAF rules
3. Audit all user accounts for unauthorized access attempts in logs
4. Rotate all Pushover, Pushbullet, and Telegram API credentials immediately
5. Review notification service logs for suspicious activity
PATCHING GUIDANCE:
- Deploy version 3.1.0+ in development environment first
- Test media request functionality and notification services post-upgrade
- Schedule maintenance window for production deployment
- Verify patch application by confirming version in application settings
COMPENSATING CONTROLS (if patch delayed):
- Implement network-level access controls restricting /api/v1/user/* endpoints to administrative IPs only
- Deploy WAF rules blocking GET requests to /api/v1/user/:id for non-admin users
- Enable API request logging and alerting for credential-related endpoints
- Implement API rate limiting on user endpoint
DETECTION RULES:
- Alert on GET /api/v1/user/:id requests from non-administrative source IPs
- Monitor for multiple sequential user ID enumeration attempts (pattern: /api/v1/user/1, /api/v1/user/2, etc.)
- Flag responses containing 'pushover', 'pushbullet', or 'telegram' in API responses
- Detect credential rotation events in notification service integrations
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بترقية Seerr إلى الإصدار 3.1.0 أو أحدث على الفور
2. إذا لم يكن الترقية ممكنة فوراً، قم بتعطيل نقطة نهاية GET /api/v1/user/:id أو تقييد الوصول عبر قواعد WAF/reverse proxy
3. تدقيق جميع حسابات المستخدمين للوصول غير المصرح به في السجلات
4. قم بتدوير جميع بيانات اعتماد Pushover و Pushbullet و Telegram API على الفور
5. راجع سجلات خدمة الإخطارات للنشاط المريب
إرشادات التصحيح:
- نشر الإصدار 3.1.0+ في بيئة التطوير أولاً
- اختبر وظائف طلب الوسائط وخدمات الإخطارات بعد الترقية
- جدولة نافذة صيانة لنشر الإنتاج
- تحقق من تطبيق التصحيح بتأكيد الإصدار في إعدادات التطبيق
الضوابط البديلة (إذا تأخر التصحيح):
- تنفيذ ضوابط الوصول على مستوى الشبكة تقيد نقاط نهاية /api/v1/user/* لعناوين IP الإدارية فقط
- نشر قواعد WAF تحظر طلبات GET إلى /api/v1/user/:id للمستخدمين غير الإداريين
- تمكين تسجيل طلب API والتنبيهات لنقاط نهاية ذات الصلة بالبيانات الاعتمادية
- تنفيذ تحديد معدل API على نقطة نهاية المستخدم
قواعد الكشف:
- تنبيه على طلبات GET /api/v1/user/:id من عناوين IP غير إدارية
- مراقبة محاولات تعداد معرف المستخدم المتسلسلة المتعددة
- وضع علامة على الاستجابات التي تحتوي على بيانات اعتماد الإخطارات
- كشف أحداث تدوير بيانات الاعتماد في تكاملات خدمة الإخطارات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.2 - Segregation of duties
A.7.1.1 - User registration and access rights management
A.8.2.1 - User access management
A.10.1.1 - Cryptography controls for sensitive data
A.12.4.1 - Event logging and monitoring
🔵 SAMA CSF
ID.AM-2 - Software inventory and management
PR.AC-1 - Access control policy and procedures
PR.AC-4 - Access rights and privileges management
DE.CM-1 - Detection and analysis of anomalies
DE.AE-1 - Audit logging and monitoring
🟡 ISO 27001:2022
5.15 - Access control
5.16 - Identification and authentication
5.23 - Information security for supplier relationships
8.1 - Information security incident management
8.2 - System and application security
8.3 - Cryptography
🟣 PCI DSS v4.0.1
Requirement 1.1 - Network segmentation
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches and updates
Requirement 7.1 - Access control implementation
Requirement 10.2 - Logging and monitoring
🔗 References & Sources 3
🔗
🔗
🔗
https://github.com/seerr-team/seerr/commit/4f089b29d0bb41d382168b17aa152eb5b8a25303
security-advisories@github.com
https://github.com/seerr-team/seerr/releases/tag/v3.1.0
security-advisories@github.com
https://github.com/seerr-team/seerr/security/advisories/GHSA-f7xw-jcqr-57hp
security-advisories@github.com