Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Feb 27, 2026

Seerr missing authentication on pushSubscription endpoints

CVE-2026-27792

Description

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the isOwnProfileOrAdmin() middleware on several push subscription API routes. Version 3.1.0 fixes the issue.

Affected products

Seerr/Seerrllm-fuzzy
Range: >=2.7.0, <3.1.0
seerr-team/seerrv5
Range: >= 2.7.0, < 3.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1mitrex_refsource_MISC
github.com/seerr-team/seerr/releases/tag/v3.1.0mitrex_refsource_MISC
github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65fmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000