Compliance Impact

This vulnerability allows authenticated users to access and enumerate collections and full book metadata from libraries they are explicitly restricted from accessing. Although the exposed data does not include actual file contents, it includes collection names, descriptions, book metadata, filesystem paths, and library item IDs.

Such unauthorized access to restricted data could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information. The failure to enforce proper access controls may result in unauthorized disclosure of personal or sensitive data, thereby affecting compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42884 is a vulnerability in the Audiobookshelf application where certain API endpoints (GET /api/collections and GET /api/collections/:id) do not properly enforce access controls on libraries.

This means that an authenticated user who has access to any library can access collections and full book metadata from libraries they are not authorized to access.

The issue arises because these endpoints fail to verify whether the user has permission to view the collections' libraries, allowing unauthorized enumeration and reading of collection data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as collection names, descriptions, book metadata, filesystem paths, and library item IDs.

Although the actual audiobook files are not exposed, the leakage of metadata and library structure can compromise privacy and confidentiality.

Since the vulnerability requires only low privileges and has low attack complexity, it increases the risk that an attacker with minimal access could exploit it to gather restricted information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether an authenticated user can access collections from libraries they are not authorized to access via the endpoints GET /api/collections and GET /api/collections/:id.

You can attempt to enumerate collections using these API endpoints with an authenticated user account that has limited library access and check if collections from other restricted libraries are returned.

Example commands using curl to test this might be:

• curl -H "Authorization: Bearer <token>" https://<your-audiobookshelf-server>/api/collections
• curl -H "Authorization: Bearer <token>" https://<your-audiobookshelf-server>/api/collections/<collection_id>

If collections from libraries the user should not have access to are returned, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Audiobookshelf to version 2.32.2 or later, where this vulnerability is fixed.

The fix involves ensuring that the GET /api/collections and GET /api/collections/:id endpoints properly check library access permissions and only return collections from libraries the authenticated user is authorized to access.

If upgrading immediately is not possible, consider restricting access to the affected API endpoints to trusted users only or disabling the API endpoints temporarily.

Useful 0 Not Useful 0