Skip to main content

Audiobookshelf CVE-2026-42885

| EUVDEUVD-2026-29208 MEDIUM
Path Traversal (CWE-22)
2026-05-11 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 11, 2026 - 21:03 EUVD
Analysis Generated
May 11, 2026 - 20:31 vuln.today
CVE Published
May 11, 2026 - 19:52 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix (e.g., /audiobooks vs /audiobooks-private), allowing authenticated users with upload permission to probe file existence outside their authorized library folder boundaries. This vulnerability is fixed in 2.32.2.

AnalysisAI

Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Audiobookshelf uses String.startsWith() to validate that resolved file paths remain within a user's authorized library directory, a common but flawed approach to path boundary checking. This method fails when directory names share prefixes - for example, if a user is authorized for /audiobooks, the path /audiobooks-private would pass validation because it starts with /audiobooks, even though the real path is outside the intended boundary. This is a classic instance of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where insufficient canonicalization and validation of file path input allows directory traversal. The vulnerability is specific to the POST /api/filesystem/pathexists endpoint, which appears to be used to check file existence without enforcing proper scope isolation.

RemediationAI

Upgrade Audiobookshelf to version 2.32.2 or later, which corrects the path validation logic to properly check for path boundaries without relying on prefix matching. If immediate upgrade is not feasible, restrict upload permission to trusted users only and monitor POST requests to /api/filesystem/pathexists for unusual path patterns (e.g., requests probing sibling directories or parent paths). Note that this compensating control does not eliminate the vulnerability but reduces the pool of potential attackers and may increase detection likelihood. The patch is available from the official Audiobookshelf repository and should be deployed after testing in a non-production environment to ensure compatibility with custom library configurations.

CVE-2025-25205 HIGH POC
8.2 Feb 12

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remo

CVE-2025-46338 MEDIUM POC
6.9 Apr 29

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is re

CVE-2023-47624 MEDIUM POC
6.5 Dec 13

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re

CVE-2023-47619 MEDIUM POC
6.5 Dec 13

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re

CVE-2026-27963 MEDIUM POC
4.8 Feb 26

Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library meta

CVE-2024-35236 MEDIUM POC
4.8 May 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.8), this vulnerability is re

CVE-2024-43797 MEDIUM POC
4.3 Sep 02

audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.3), this vulnerability is re

CVE-2023-51697 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2023-51665 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2026-42888 MEDIUM
6.9 May 11

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/c

CVE-2026-42883 MEDIUM
6.5 May 11

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they d

CVE-2026-42886 MEDIUM
4.9 May 11

Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uplo

Share

CVE-2026-42885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy