Cleanuparr CVE-2026-44183: Critical RCE via X-Forwarded-For Header Spoofing
The National Vulnerability Database has issued an advisory for CVE-2026-44183, a critical vulnerability in Cleanuparr, a tool designed for automating file management in Sonarr, Radarr, and download clients like qBittorrent. Prior to version 2.9.10, Cleanuparr’s TrustedNetworkAuthenticationHandler.ResolveClientIp function incorrectly parsed the X-Forwarded-For header. It relied on the leftmost entry as the client IP, a value that is fully attacker-controlled.
This flaw allows an unauthenticated remote attacker to bypass trusted-network checks by simply spoofing a local IP address within the X-Forwarded-For header. Successfully exploiting this vulnerability grants the attacker administrative access to the Cleanuparr instance, as they are logged in as the administrator. The National Vulnerability Database rates this with a CVSS score of 9.8 (Critical), highlighting the severe impact and ease of exploitation.
The vulnerability is rooted in CWE-290 (Authentication Bypass by Spoofing) and CWE-348 (Use of Weak Cryptography for Authentication), underscoring a fundamental flaw in how network trust was established. Defenders must recognize that relying on easily manipulated HTTP headers for authentication is a critical security misstep. The fix is available in Cleanuparr version 2.9.10.
What This Means For You
- If your organization utilizes Cleanuparr, you are at critical risk of unauthenticated remote administrative access. Immediately verify your Cleanuparr version. If it is prior to 2.9.10, patch to the latest version without delay. Additionally, review your network architecture to ensure that services are not exposing trusted-network authentication logic to untrusted HTTP headers from external sources.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44183: Cleanuparr X-Forwarded-For Header Spoofing for Admin Login
title: CVE-2026-44183: Cleanuparr X-Forwarded-For Header Spoofing for Admin Login
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-44183 by sending a spoofed 'X-Forwarded-For' header with a localhost IP address to bypass authentication and gain administrator access to Cleanuparr. This rule specifically looks for requests to the authentication endpoint that include a localhost IP in a header commonly used for IP spoofing.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44183/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/authenticate'
referer|contains:
- '127.0.0.1'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44183 | Auth Bypass | Cleanuparr versions prior to 2.9.10 |
| CVE-2026-44183 | Auth Bypass | Vulnerable component: TrustedNetworkAuthenticationHandler.ResolveClientIp |
| CVE-2026-44183 | Auth Bypass | Attack vector: Spoofed X-Forwarded-For header with a local IP |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 21:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
MongoDB Ops Manager RCE via Webhook Template Injection (CVE-2026-8431)
CVE-2026-8431 — An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. ...
CVE-2026-8430: SPIP RCE Limited to Nginx Configurations
CVE-2026-8430 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing...
SPIP RCE Vulnerability (CVE-2026-8429) Bypasses Security Protections
CVE-2026-8429 — SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in...