CVE-2026-44183

Cleanuparr · Cleanuparr

An authentication bypass vulnerability in Cleanuparr allows unauthenticated remote attackers to gain administrative access via X-Forwarded-For header spoofing.

Executive summary

Cleanuparr versions prior to 2.9.10 are vulnerable to an authentication bypass flaw that allows unauthenticated attackers to gain full administrative control.

Vulnerability

The application incorrectly trusts the leftmost entry of the X-Forwarded-For HTTP header to determine the client IP address. An unauthenticated attacker can spoof a trusted local network IP to bypass authentication checks and assume administrator privileges.

Business impact

Successful exploitation of this vulnerability grants an attacker full administrative access to the Cleanuparr instance. Given the CVSS score of 9.8, this poses a critical risk, enabling unauthorized configuration changes, file manipulation, and potential compromise of the underlying host environment.

Remediation

Immediate Action: Upgrade to Cleanuparr version 2.9.10 or later immediately to apply the fix for the authentication logic.

Proactive Monitoring: Review web server and application access logs for suspicious X-Forwarded-For header values or anomalous administrative login patterns from unexpected IP ranges.

Compensating Controls: Implement a Web Application Firewall (WAF) to sanitize or strip X-Forwarded-For headers if the application is exposed to untrusted networks.

Exploitation status

Public Exploit Available: Not explicitly stated (PoC exists per SSVC)

Analyst recommendation

This vulnerability represents a critical security failure in access control. Administrators must prioritize updating to version 2.9.10 to prevent unauthorized administrative access. Organizations should also audit their network architecture to ensure that only trusted proxies are permitted to set the X-Forwarded-For header.