Is CVE-2026-27793 actively exploited?

CVE-2026-27793 has no public evidence of in-the-wild exploitation as of 2026-03-04.

What is the CVSS score for CVE-2026-27793?

CVE-2026-27793 has a CVSS score of 6.5 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

How do I patch CVE-2026-27793?

Patch guidance is available from seerr security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-27793.

CVE-2026-27793 - remediation guidance & executive summary

Description

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of their privilege level. This vulnerability can be exploited alone or combined with the reported unauthenticated account creation vulnerability, CVE-2026-27707. When combined, the two vulnerabilities create a zero-prior-access chain that leaks third-party API credentials for all users, including administrators. Version 3.1.0 contains a fix for both this vulnerability and for CVE-2026-27707.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
Weaknesses: CWE-639

Metadata

Primary Vendor: SEERR
Published: 2/27/2026
Last Modified: 3/4/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

seerr : seerr

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-27793. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-27793

View on NIST NVD

CVE-2026-27793 vulnerability