CVE-2026-27824
Received Received - Intake
Authentication Bypass in calibre Content Server via Header Manipulation

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27824
EUVD
EUVD-2026-9057
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
calibre-ebook calibre to 9.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the calibre Content Server's brute-force protection mechanism prior to version 9.4.0. The protection uses a ban key derived from both the client's IP address (remote_addr) and the X-Forwarded-For HTTP header. However, because the X-Forwarded-For header is taken directly from the HTTP request without validation or trusted-proxy configuration, an attacker can manipulate this header to bypass IP-based bans.

As a result, the brute-force protection can be completely circumvented by simply changing or adding the X-Forwarded-For header, allowing attackers to continue password guessing or credential stuffing attacks without being blocked.

Impact Analysis

If you run a calibre Content Server exposed to the internet and use its brute-force protection to defend against unauthorized access attempts, this vulnerability can allow attackers to bypass those protections.

This means attackers can perform credential stuffing or password guessing attacks without being blocked by IP bans, increasing the risk of unauthorized access to your e-book management system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade calibre to version 9.4.0 or later, where the issue with the brute-force protection mechanism has been fixed.

Additionally, avoid exposing the calibre Content Server directly to the internet without proper protections, as the vulnerability allows attackers to bypass IP-based bans by manipulating the X-Forwarded-For header.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart