Huntarr accused of leaking *arr stack secrets; maintainer takes subreddit private, repo vanishes

In the self-hosted world, tools that sit on top of Sonarr, Radarr, and friends tend to spread fast, mostly because they promise convenience. That convenience is exactly what’s driving a new wave of concern after a r/selfhosted post accused Huntarr of exposing sensitive credentials tied to popular *arr apps.

The thread, posted yesterday, lays out what the OP describes as a basic security review of Huntarr.io (version 9.4.2) and claims the app had endpoints that could be reached without proper login checks.

The big worry, as described there, is that a request to a settings endpoint could return a full configuration dump that includes API keys and passwords for connected services such as Sonarr, Radarr, Prowlarr, Lidarr, Readarr, and Whisparr.

Huntarr’s GitHub project described itself as a utility that automates discovering missing and upgrading media collections, with integrations across the *arr ecosystem. When an app like that becomes the place where all your API keys live, any auth mistake can turn into a single point of failure for an entire media stack.

What pushed this beyond a normal security thread is the timing and the cleanup that people say followed. In the same r/selfhosted discussion, commenters claimed the r/huntarr subreddit was made private and that the main Huntarr GitHub repo (plexguide/Huntarr.io) was deleted or switched out of public view soon after the post gained attention. I can confirm that both are no longer accessible.

A separate r/SubredditDrama thread also discusses the subreddit going private and the project’s online presence being pulled down after the vulnerability claims circulated.

If you’re running Huntarr, the advice circulating on Reddit and X right now is to take it offline and rotate the API keys for every connected app. The full security review with all 21 findings is on GitHub. Check it out here.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.