CVE-2026-32702

CVE-2026-32702 is a medium-severity vulnerability in Cleanuparr Project Cleanuparr with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.

Key facts

Description

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.

Frequently asked questions

What is CVE-2026-32702?
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. It appears that the hashing function, which is the most time-consuming part of the process by design, occurs as part of the VerifyPassword function. With the short circuits occurring before the hashing function, a timing differential is introduced that exposes validity to the actor. This vulnerability is fixed in 2.8.1.
How severe is CVE-2026-32702?
CVE-2026-32702 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-32702 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (24th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-32702?
CVE-2026-32702 affects Cleanuparr Project Cleanuparr. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-32702?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-32702 have an EU (EUVD) identifier?
Yes. CVE-2026-32702 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12144.
When was CVE-2026-32702 published?
CVE-2026-32702 was published on 2026-03-16 and last updated on 2026-06-17.

References

Affected products (1)

Other CWE-208 vulnerabilities

Browse all CWE-208 vulnerabilities →