Seerr Broken Object-Level Authorization Vulnerability Exposes Third-Party Notification Credentials

A vulnerability in Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby, allows any authenticated user to access the full settings object of any other user through the `GET /api/v1/user/:id` endpoint. This includes sensitive credentials for third-party services such as Pushover, Pushbullet, and Telegram. The issue arises from a lack of proper ownership and permission checks, enabling the unauthorized retrieval of personal data. This vulnerability affects Seerr versions prior to 3.1.0.

Impact

Exploitation of this vulnerability leads to unauthorized access to third-party API credentials for all users, including administrators.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the `GET /api/v1/user/:id` endpoint, replacing `:id` with the ID of the target user. The response will include the full settings object, including sensitive notification credentials, regardless of the requester's privilege level.

Remediation

Users can upgrade to Seerr version 3.1.0, which addresses this vulnerability by implementing proper ownership and permission checks on the user profile endpoint.