CVE-2026-27824
Received Received - Intake
Authentication Bypass in calibre Content Server via Header Manipulation

Publication date: 2026-02-27

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-04
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27824
EUVD
EUVD-2026-9057
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
calibre-ebook calibre to 9.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the calibre Content Server's brute-force protection mechanism prior to version 9.4.0. The protection uses a ban key derived from both the client's IP address (remote_addr) and the X-Forwarded-For HTTP header. However, because the X-Forwarded-For header is taken directly from the HTTP request without validation or trusted-proxy configuration, an attacker can manipulate this header to bypass IP-based bans.

As a result, the brute-force protection can be completely circumvented by simply changing or adding the X-Forwarded-For header, allowing attackers to continue password guessing or credential stuffing attacks without being blocked.


How can this vulnerability impact me? :

If you run a calibre Content Server exposed to the internet and use its brute-force protection to defend against unauthorized access attempts, this vulnerability can allow attackers to bypass those protections.

This means attackers can perform credential stuffing or password guessing attacks without being blocked by IP bans, increasing the risk of unauthorized access to your e-book management system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade calibre to version 9.4.0 or later, where the issue with the brute-force protection mechanism has been fixed.

Additionally, avoid exposing the calibre Content Server directly to the internet without proper protections, as the vulnerability allows attackers to bypass IP-based bans by manipulating the X-Forwarded-For header.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart