CVE-2026-42884
Audiobookshelf Collection Enumeration via Unauthorized Library Access
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| audiobookshelf | audiobookshelf | 2.32.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42884 is a vulnerability in the Audiobookshelf application where certain API endpoints (GET /api/collections and GET /api/collections/:id) do not properly enforce access controls on libraries.
This means that an authenticated user who has access to any library can access collections and full book metadata from libraries they are not authorized to access.
The issue arises because these endpoints fail to verify whether the user has permission to view the collections' libraries, allowing unauthorized enumeration and reading of collection data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to access and enumerate collections and full book metadata from libraries they are explicitly restricted from accessing. Although the exposed data does not include actual file contents, it includes collection names, descriptions, book metadata, filesystem paths, and library item IDs.
Such unauthorized access to restricted data could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information. The failure to enforce proper access controls may result in unauthorized disclosure of personal or sensitive data, thereby affecting compliance with these standards.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as collection names, descriptions, book metadata, filesystem paths, and library item IDs.
Although the actual audiobook files are not exposed, the leakage of metadata and library structure can compromise privacy and confidentiality.
Since the vulnerability requires only low privileges and has low attack complexity, it increases the risk that an attacker with minimal access could exploit it to gather restricted information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether an authenticated user can access collections from libraries they are not authorized to access via the endpoints GET /api/collections and GET /api/collections/:id.
You can attempt to enumerate collections using these API endpoints with an authenticated user account that has limited library access and check if collections from other restricted libraries are returned.
Example commands using curl to test this might be:
- curl -H "Authorization: Bearer <token>" https://<your-audiobookshelf-server>/api/collections
- curl -H "Authorization: Bearer <token>" https://<your-audiobookshelf-server>/api/collections/<collection_id>
If collections from libraries the user should not have access to are returned, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Audiobookshelf to version 2.32.2 or later, where this vulnerability is fixed.
The fix involves ensuring that the GET /api/collections and GET /api/collections/:id endpoints properly check library access permissions and only return collections from libraries the authenticated user is authorized to access.
If upgrading immediately is not possible, consider restricting access to the affected API endpoints to trusted users only or disabling the API endpoints temporarily.