Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Fri, 13 Mar 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1. | |
| Title | Cleanuparr has Username Enumeration via Timing Attack | |
| Weaknesses | CWE-208 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-03-13T21:09:00.127Z
Reserved: 2026-03-13T14:33:42.823Z
Link: CVE-2026-32702
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.