Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0.
AnalysisAI
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.
Technical ContextAI
Kavita is an open-source, cross-platform digital library server (CPE: cpe:2.3:a:kareadita:kavita:*:*:*:*:*:*:*:*) designed for serving manga, comics, books, and related media in multi-user environments where library-level access control is a core security boundary. The vulnerability class is CWE-639 (Authorization Bypass Through User-Controlled Key): the server accepts user-supplied integer resource identifiers - chapterId, volumeId, seriesId - and fulfills the request based solely on the validity of the identifier, without cross-checking whether the authenticated user has been assigned to the library that owns the requested resource. This means the library permission model, which is intended to partition content between user groups, is entirely absent from the Download and Chapter API controller logic. Seven distinct endpoints are affected, spanning both content delivery and metadata/size-query operations.
RemediationAI
Upgrade to Kavita 0.9.0 or later, which the vendor confirms resolves the missing library-level authorization enforcement across all seven affected endpoints; this is documented in the GitHub Security Advisory at https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr. For deployments where immediate upgrade is not possible, remove or suspend all non-administrative user accounts as a temporary measure - since exploitation requires an existing authenticated session, eliminating untrusted authenticated access closes the immediate attack surface, though this may significantly disrupt normal multi-user operations. Additionally, placing Kavita behind a VPN or authenticated reverse proxy (e.g., requiring network-level authentication before the Kavita login screen is reachable) reduces exposure to external attackers but provides no protection against insider or already-authenticated threats. None of these workarounds substitute for patching, as the root authorization logic flaw remains present until the 0.9.0 upgrade is applied.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obta
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (C
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image acro
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31937