Skip to main content

Kavita CVE-2026-44776

| EUVDEUVD-2026-31937 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-26 GitHub_M
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:29 vuln.today
Patch available
May 26, 2026 - 19:02 EUVD
CVSS changed
May 26, 2026 - 18:22 NVD
5.9 (MEDIUM)

DescriptionGitHub Advisory

Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0.

AnalysisAI

Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.

Technical ContextAI

Kavita is an open-source, cross-platform digital library server (CPE: cpe:2.3:a:kareadita:kavita:*:*:*:*:*:*:*:*) designed for serving manga, comics, books, and related media in multi-user environments where library-level access control is a core security boundary. The vulnerability class is CWE-639 (Authorization Bypass Through User-Controlled Key): the server accepts user-supplied integer resource identifiers - chapterId, volumeId, seriesId - and fulfills the request based solely on the validity of the identifier, without cross-checking whether the authenticated user has been assigned to the library that owns the requested resource. This means the library permission model, which is intended to partition content between user groups, is entirely absent from the Download and Chapter API controller logic. Seven distinct endpoints are affected, spanning both content delivery and metadata/size-query operations.

RemediationAI

Upgrade to Kavita 0.9.0 or later, which the vendor confirms resolves the missing library-level authorization enforcement across all seven affected endpoints; this is documented in the GitHub Security Advisory at https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr. For deployments where immediate upgrade is not possible, remove or suspend all non-administrative user accounts as a temporary measure - since exploitation requires an existing authenticated session, eliminating untrusted authenticated access closes the immediate attack surface, though this may significantly disrupt normal multi-user operations. Additionally, placing Kavita behind a VPN or authenticated reverse proxy (e.g., requiring network-level authentication before the Kavita login screen is reachable) reduces exposure to external attackers but provides no protection against insider or already-authenticated threats. None of these workarounds substitute for patching, as the root authorization logic flaw remains present until the 0.9.0 upgrade is applied.

Share

CVE-2026-44776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy