CVE-2026-44775 Kareadita CVE debrief

Who should care

Organizations and individuals running Kavita reading server instances, particularly those hosting private or sensitive content libraries. System administrators responsible for securing self-hosted media servers and developers building similar API-based content delivery systems.

Technical summary

The ReaderController.GetImage endpoint in Kavita versions prior to 0.9.0 fails to enforce authentication despite accepting an apiKey parameter. The endpoint's [AllowAnonymous] attribute combined with lack of apiKey validation allows unauthenticated attackers to retrieve page images from any chapter in any library. Sequential integer entity IDs enable trivial content enumeration. The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) with a CVSS 4.0 score of 6.9 (MEDIUM severity).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Kavita to version 0.9.0 or later to remediate the authentication bypass vulnerability.
• Review all API endpoints decorated with [AllowAnonymous] to ensure proper authentication and authorization controls are implemented.
• Implement validation for all authentication parameters including apiKey, rejecting requests with missing or invalid credentials.
• Consider using non-sequential identifiers for sensitive resources to reduce the risk of enumeration attacks.
• Audit access logs for unauthorized access attempts to the ReaderController.GetImage endpoint prior to patching.

Evidence notes

The vulnerability description is sourced from the official CVE record published by NVD on 2026-05-26. The issue involves missing authentication on a specific API endpoint (ReaderController.GetImage) in Kavita versions prior to 0.9.0. The CVSS 4.0 vector indicates network accessibility with low attack complexity, no privileges required, and no user interaction needed. The weakness is classified as CWE-306 (Missing Authentication for Critical Function).

Official resources