Skip to main content

Kavita CVE-2026-44775

| EUVDEUVD-2026-31936 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-26 GitHub_M
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:29 vuln.today
Patch available
May 26, 2026 - 19:02 EUVD
CVSS changed
May 26, 2026 - 18:22 NVD
6.9 (MEDIUM)

DescriptionGitHub Advisory

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.

AnalysisAI

Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.

Technical ContextAI

Kavita is a self-hosted, cross-platform ASP.NET reading server for managing digital libraries of manga, comics, and books. The vulnerable component is the GetImage action on ReaderController (API/Controllers/ReaderController.cs, line 116), which is decorated with the [AllowAnonymous] ASP.NET attribute - an explicit directive that bypasses the framework's authentication middleware pipeline entirely. Although the endpoint signature accepts an apiKey query parameter that would normally gate API access, no server-side validation of that key is implemented, making the parameter a no-op. The root cause is CWE-306 (Missing Authentication for Critical Function): a function that retrieves private library content has authentication enforcement completely absent. The attack surface is further amplified by the use of sequential integer IDs for chapter and page entities, eliminating any security-through-obscurity barrier and enabling systematic enumeration of all content on the server. CPE cpe:2.3:a:kareadita:kavita:*:*:*:*:*:*:*:* confirms all versions of the Kareadita Kavita product are affected up to the fix release.

RemediationAI

Upgrade Kavita to version 0.9.0 or later, which is the vendor-confirmed fix per GitHub Security Advisory GHSA-6gc9-6r8p-5wg2 (https://github.com/Kareadita/Kavita/security/advisories/GHSA-6gc9-6r8p-5wg2). Until upgrade is feasible, the most effective compensating control is placing Kavita behind a reverse proxy (nginx, Caddy, Traefik) configured to enforce authentication at the proxy layer for requests matching the /api/Reader/image path - note this may interfere with any intentionally anonymous reader access if that use case exists. Alternatively, restricting network access to Kavita via firewall rules or VPN eliminates the remote attack vector entirely without affecting local functionality. Blocking public internet exposure is the lowest-effort, highest-impact short-term mitigation for operators who cannot immediately upgrade. Do not rely on the apiKey query parameter as an access control mechanism in any version prior to 0.9.0, as it is confirmed to be unvalidated.

Share

CVE-2026-44775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy