Huntarr Security Vulnerability Exposes API Keys

A reported Huntarr security vulnerability has put security practices in self-hosted automation tools under fresh scrutiny. A publicly shared security review alleged that certain versions of Huntarr contained authentication bypass flaws that could allow unauthenticated access to internal API endpoints.

Huntarr is a self-hosted application for managing and automating tasks across popular *arr tools such as Sonarr, Radarr, and Prowlarr. Because it connects to and stores API keys for these services, it functions as a centralized control layer in many media automation setups.

The findings described in this article are based on a publicly shared Reddit post and a GitHub security review. As of publication, the reported vulnerabilities have not been independently verified, and no official response from the Huntarr maintainers has been publicly released.

What are the key security vulnerabilities reported in Huntarr?

According to the Reddit post and the GitHub review, multiple vulnerabilities were identified in Huntarr v9.4.2.

• Authentication bypass: The reviewer alleges that certain API endpoints could be accessed without a valid login session. According to the review, this would allow anyone on the same network, or on the internet, if the instance was exposed, to interact with the application without authentication.
• Exposure of stored API keys: The report claims that configuration endpoints returned stored API keys in cleartext. Because Huntarr integrates with services such as Sonarr, Radarr, and Prowlarr, retrieving those keys could enable unauthorized access to connected applications. The review characterizes this as cross-application credential exposure, meaning multiple connected services could potentially be affected at once.
• Account takeover concerns: The disclosure references authentication-related endpoints, including two-factor authentication (2FA) setup routes, that the review describes as accessible without proper verification. The reviewer states this could allow an attacker to retrieve authentication secrets and register their own device.
• Unauthorized configuration and recovery actions: Additional endpoints were reportedly capable of modifying setup state, generating recovery keys, or re-arming account creation without login. The review indicates these behaviors could allow unauthorized reconfiguration of the application.

In the GitHub review outlining the alleged flaws, the author writes:

“If you run Huntarr and it’s reachable on your network, anyone can read your passwords and rewrite your config right now. No login required.”

Huntarr Security Reproduction Lab (GitHub)

In the GitHub review, the author categorized several findings as “Critical” and “High” severity, including unauthenticated settings access, cross-app credential exposure, and 2FA-related issues.

Source: rfsbraz/huntarr-security-review (GitHub)

What happened after the disclosure of Huntarr’s critical vulnerabilities?

The security concerns gained visibility after posts detailing the alleged flaws were shared on Reddit and GitHub. The discussion quickly gained traction, with users urging others to shut down Huntarr and rotate API keys as a precaution.

Several community forums began circulating warnings, and tech-focused sites and social posts amplified the discussion, further increasing visibility around the reported issues.

Soon after the thread gained attention, community members reported that the project’s subreddit had been made private and that the main GitHub repository was no longer publicly accessible. 

As of publication, no official statement, confirmed patch, or formal security advisory addressing the reported findings has been publicly released by the Huntarr maintainers.

Source: GitHub/Huntarr.io

What should Huntarr users do now?

Community discussions after the disclosure have prompted users to adopt precautionary measures.

• Shut down the Huntarr instance if it is still running, particularly if it was accessible on a local network or exposed to the internet.
• Regenerate all API keys for connected services, including Sonarr, Radarr, Prowlarr, and any other integrated applications.
• Reset related credentials and review account security settings, including authentication methods.
• Check system logs and configurations for unexpected changes, new devices, or unfamiliar activity.

The bigger takeaway

The reported Huntarr security vulnerability underscores how much trust users place in self-hosted tools that manage multiple services from a single interface. When an application stores API keys and serves as a central control layer, weaknesses in authentication or credential handling can have broader implications.

Whether the reported issues are formally addressed or not, the episode reinforces a practical rule for self-managed deployments: limit network exposure, monitor access controls, and treat API keys like passwords. For users running interconnected automation stacks, regular audits aren’t optional — they’re essential.

As conversations around software security continue, G2’s vulnerability management category offers insight into tools that identify and manage risk.