CVE-2026-26069 – Scraparr versions 3.0.0-beta through 3.0.1 expo... (How to Fix)

Q: What is the severity of CVE-2026-26069?

CVE-2026-26069 has a CVSS score of 7.5 (HIGH). Scraparr versions 3.0.0-beta through 3.0.1 expose Readarr API keys in Prometheus metrics when Readarr integration is enabled without an alias. This allows attackers to steal API keys if the /metrics endpoint is publicly accessible. Only users with Readarr scraping enabled, no alias configured, and externally accessible endpoints are affected.

📋 TL;DR

Scraparr versions 3.0.0-beta through 3.0.1 expose Readarr API keys in Prometheus metrics when Readarr integration is enabled without an alias. This allows attackers to steal API keys if the /metrics endpoint is publicly accessible. Only users with Readarr scraping enabled, no alias configured, and externally accessible endpoints are affected.

💻 Affected Systems

Products:

Scraparr

Versions: 3.0.0-beta to 3.0.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires Readarr scraping enabled, no alias configured, and /metrics endpoint accessible externally.

📦 What is this software?

Scraparr by Thecfu

View all CVEs affecting Scraparr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain Readarr API key, gain unauthorized access to Readarr instance, potentially compromising media management system and associated services.

🟠

Likely Case

API key exposure leading to unauthorized Readarr access, allowing manipulation of media libraries or configuration changes.

🟢

If Mitigated

No impact if /metrics endpoint is properly firewalled or authentication is required.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to /metrics endpoint and knowledge of metric structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2

Vendor Advisory: https://github.com/thecfu/scraparr/security/advisories/GHSA-hx24-222f-w5cj

Restart Required: Yes

Instructions:

1. Stop Scraparr service. 2. Update to version 3.0.2 via package manager or manual download. 3. Restart Scraparr service.

🔧 Temporary Workarounds

Disable Readarr Integration

all

Temporarily disable Readarr scraping in Scraparr configuration

Edit scraparr config file and set readarr.enabled: false

Restrict /metrics Endpoint

linux

Configure firewall or reverse proxy to block external access to /metrics endpoint

iptables -A INPUT -p tcp --dport 8080 -s ! 192.168.1.0/24 -j DROP

🧯 If You Can't Patch

Configure alias for Readarr metrics to mask API key
Implement authentication or IP whitelisting for /metrics endpoint

🔍 How to Verify

Check if Vulnerable:

Access /metrics endpoint and search for 'readarr_api_key' or similar metric labels containing API key values.

Check Version:

scraparr --version or check service status output

Verify Fix Applied:

After patching, verify /metrics endpoint no longer exposes API keys in metric labels.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /metrics endpoint
Unusual Readarr API activity

Network Indicators:

External requests to /metrics endpoint
Traffic patterns suggesting metric scraping

SIEM Query:

source="scraparr.log" AND (uri="/metrics" OR message="*api_key*")

📊 Metadata

CVE ID: CVE-2026-26069

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: February 12, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/thecfu/scraparr/commit/194116bb8fb0b6ea26421b3e7a7b326973f56cd0 Patch
https://github.com/thecfu/scraparr/releases/tag/v3.0.2 Product,Release Notes
https://github.com/thecfu/scraparr/security/advisories/GHSA-hx24-222f-w5cj Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26069, you might also want to check these: