External risk intelligence

Attacker can gain administrator control of Cleanuparr by faking network access.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-44183

An external attacker can exploit a flaw in Cleanuparr to bypass security and gain full administrative access by spoofing network requests. This allows them to modify automation settings, manipulate connected download clients, or delete files without authorization.

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-44183

Cleanuparr is a self-hosted utility for media automation. While users frequently place such tools behind reverse proxies for remote access, the software is primarily intended for local use. Public internet reachability is possible depending on user configuration and reverse proxy setup, but it is not a service designed or mandated to be public-facing by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in Cleanuparr allows an unauthenticated attacker to log in as an administrator by sending a specially crafted request. This happens because the tool incorrectly trusts a spoofed IP address in a request header, bypassing security checks and granting full control over the application.

  • Remote attackers can gain admin access.
  • Allows full control over Cleanuparr.
  • Affects systems using versions prior to 2.9.10.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can bypass authentication by sending a spoofed IP address in the `X-Forwarded-For` HTTP header. This allows them to trick Cleanuparr into believing they are a trusted local user, granting them administrator access to the application.

  • Targets Cleanuparr application.
  • Uses `X-Forwarded-For` header.
  • Requires network access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated remote attackers to gain administrator access by manipulating the `X-Forwarded-For` header. While the software is self-hosted, users may expose it via reverse proxies, making it reachable from the internet and thus a target. The fixed version was released recently.

  • Exploitation requires specific network configuration.
  • No public exploits are readily available.
  • Fix is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Cleanuparr to version 2.9.10 or later to address the critical authentication bypass vulnerability. If patching is delayed, immediately isolate affected services from untrusted networks to prevent unauthenticated administrative access.

  • Upgrade Cleanuparr to 2.9.10.
  • Restrict network access to Cleanuparr.
  • Monitor logs for suspicious authentication.

Frequently asked questions

What is Cleanuparr and what does it do?

Cleanuparr is a tool designed to automate the removal of unwanted files within media management applications like Sonarr and Radarr, and download clients such as qBittorrent. It helps keep your file system tidy by handling blocked or deleted media files.

How does CVE-2026-44183 allow an attacker to gain admin access?

This vulnerability, classified as CWE-290 (Authentication by IP Address) and CWE-348 (Information Exposure Through Network Access), occurs because Cleanuparr incorrectly trusts the IP address provided in the X-Forwarded-For header. An attacker can send a forged IP address in this header to impersonate a trusted user and gain administrator privileges.

What is required for an attacker to exploit this vulnerability?

An attacker needs to be able to send a specially crafted HTTP request to the Cleanuparr application. They must also be able to control or spoof the X-Forwarded-For header to insert a fake IP address. If Cleanuparr is configured to trust this header, the attacker can bypass authentication without needing any user credentials.

Who should be concerned about Cleanuparr's CVE-2026-44183 vulnerability?

Users who run Cleanuparr, especially if it's accessible over a network, should be concerned. While Cleanuparr is typically self-hosted, it might be exposed to the internet via reverse proxies. This could mean that an attacker on the internet (external) has a path to exploit this flaw, not just someone on the internal network.

What is the first step to address this Cleanuparr threat?

The most important first step is to update Cleanuparr to version 2.9.10 or a later release. This version includes the fix for the authentication bypass vulnerability. If an immediate upgrade isn't possible, restricting network access to the Cleanuparr service can help mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified