Nixpkgs security tracker

Dismissed

Permalink CVE-2026-30975

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
2 packages
- home-assistant-component-tests.sonarr
- tests.home-assistant-component-tests.sonarr
2 months, 4 weeks ago
@LeSuisse dismissed 2 months, 4 weeks ago

Sonarr Authentication Bypass vulnerability

Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses (Authentication Required set to: `Disabled for Local Addresses`) without a reverse proxy running in front of Sonarr that didn't not pass through the invalid header. Patches are available in version 4.0.16.2942 in the nightly/develop branch and version 4.0.16.2944 for stable/main releases. Some workarounds are available. Make sure Sonarr's Authentication Required setting is set to `Enabled`, run Sonarr behind a reverse proxy, and/or do not expose Sonarr directly to the internet and instead rely on accessing it through a VPN, Tailscale or a similar solution.

References

https://github.com/Sonarr/Sonarr/security/advisories/GHSA-h5qx-5hjf-7c9r x_refsource_CONFIRM
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2942 x_refsource_MISC
https://github.com/Sonarr/Sonarr/releases/tag/v4.0.16.2944 x_refsource_MISC

Affected products

Sonarr

==< 4.0.16.2942

Matching in nixpkgs

pkgs.sonarr

Smart PVR for newsgroup and bittorrent users

nixos-unstable 4.0.16.2944
- nixpkgs-unstable 4.0.16.2944
- nixos-unstable-small 4.0.16.2944

Ignored packages (2)

pkgs.home-assistant-component-tests.sonarr

None

pkgs.tests.home-assistant-component-tests.sonarr

Open source home automation that puts local control and privacy first

nixos-unstable 2026.3.3
- nixpkgs-unstable 2026.3.3
- nixos-unstable-small 2026.3.3

Package maintainers

@purcell Steve Purcell <steve@sanityinc.com>
@tie Ivan Trubach <mr.trubach@icloud.com>
@niklaskorz Niklas Korz <nixpkgs@korz.dev>
@karaolidis Nikolaos Karaolidis <nick@karaolidis.com>

Current stable branch was never impacted: https://github.com/NixOS/nixpkgs/commit/e9a6f320c08199693a03a00662141897cd3c79ce