Skip to main content

Audiobookshelf CVE-2026-42886

| EUVDEUVD-2026-29209 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-05-11 GitHub_M
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 11, 2026 - 21:03 EUVD
Analysis Generated
May 11, 2026 - 20:31 vuln.today
CVE Published
May 11, 2026 - 19:54 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely into memory using zip.entryData(), with no limit on the decompressed size. The upload middleware also has no file size limit. An admin user can upload a crafted ZIP containing a highly compressed details entry that, when decompressed, consumes hundreds of megabytes or gigabytes of memory, crashing the server process via out-of-memory. This vulnerability is fixed in 2.32.2.

AnalysisAI

Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.

Technical ContextAI

Audiobookshelf's POST /api/backups/upload endpoint uses zip.entryData() to decompress entries from uploaded .audiobookshelf ZIP files without validating or limiting decompressed size. This is a classic zip bomb vulnerability (CWE-409: Improper Resource Validation). The upload middleware itself also lacks file size restrictions on the incoming request. An attacker with admin credentials can craft a ZIP using extreme compression ratios (e.g., gigabytes of zeros compressed to kilobytes), which expand to enormous memory allocations during decompression, overwhelming Node.js heap memory and crashing the process.

RemediationAI

Upgrade Audiobookshelf to version 2.32.2 or later immediately; this is the vendor-released fix addressing the decompression bomb vulnerability. If immediate upgrade is not feasible, restrict admin role assignment to only trusted users and implement network-level access controls to limit who can reach the /api/backups/upload endpoint (e.g., firewall rules, reverse proxy authentication). Monitor server memory and CPU usage for anomalous spikes during backup operations. These workarounds do not eliminate the vulnerability but reduce exposure window and attack surface. Refer to the GitHub security advisory at https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-4jq4-rvq8-j26h for patch confirmation.

CVE-2025-25205 HIGH POC
8.2 Feb 12

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remo

CVE-2025-46338 MEDIUM POC
6.9 Apr 29

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is re

CVE-2023-47624 MEDIUM POC
6.5 Dec 13

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re

CVE-2023-47619 MEDIUM POC
6.5 Dec 13

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re

CVE-2026-27963 MEDIUM POC
4.8 Feb 26

Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library meta

CVE-2024-35236 MEDIUM POC
4.8 May 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.8), this vulnerability is re

CVE-2024-43797 MEDIUM POC
4.3 Sep 02

audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.3), this vulnerability is re

CVE-2023-51697 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2023-51665 HIGH
7.5 Dec 27

Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo

CVE-2026-42888 MEDIUM
6.9 May 11

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/c

CVE-2026-42883 MEDIUM
6.5 May 11

Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they d

CVE-2026-42887 MEDIUM
4.5 May 11

Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malici

Share

CVE-2026-42886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy