PatchSiren cyber security CVE debrief
CVE-2026-44776 Kareadita CVE debrief
A library-level authorization bypass in Kavita reading server allows low-privileged users to access content from libraries they are not assigned to. The vulnerability affects download, size-check, and chapter metadata endpoints where chapterId, volumeId, or seriesId parameters are not properly validated against user library permissions. An attacker with valid credentials but limited privileges can enumerate or guess identifiers to download full file contents, query file sizes, and read metadata for unauthorized content. The CVSS 4.0 vector indicates network attack vector with low attack complexity, privileged access required, and high confidentiality impact to the vulnerable component. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- Kareadita
- Product
- Kavita
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running Kavita reading server instances with multi-user configurations and library-based access controls should prioritize patching. System administrators responsible for content access governance and security teams monitoring for authorization bypass vulnerabilities in self-hosted media applications should review exposure and apply updates.
Technical summary
The Kavita reading server prior to 0.9.0 fails to enforce library-level authorization on multiple API endpoints. A low-privileged authenticated user can access chapter, volume, and series content by providing valid identifiers (chapterId, volumeId, seriesId) for resources in libraries they are not assigned to. Affected endpoints include size-check operations (/api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size), download operations (/api/Download/volume, /api/Download/chapter, /api/Download/series), and metadata retrieval (/api/Chapter). The vulnerability represents an insecure direct object reference (IDOR) pattern where object identifiers are not validated against the requesting user's authorization scope. Remediation in version 0.9.0 adds proper library-level permission checks before serving content.
Defensive priority
medium
Recommended defensive actions
- Upgrade Kavita to version 0.9.0 or later to remediate the authorization bypass vulnerability
- Review access logs for unusual download patterns or repeated queries to /api/Download/* and /api/Chapter endpoints with varying ID parameters
- Implement additional monitoring for requests accessing content IDs outside a user's assigned library scope
- Validate that library-level authorization checks are enforced consistently across all content access endpoints after patching
- Consider implementing rate limiting on ID-based endpoints to reduce enumeration risk
Evidence notes
Vulnerability description confirms affected endpoints: /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. Fix version 0.9.0 confirmed. CWE-639 (Authorization Bypass Through User-Controlled Key) identified in source metadata.
Official resources
-
CVE-2026-44776 CVE record
CVE.org
-
CVE-2026-44776 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26