Executive Summary

CVE-2026-42885 is a vulnerability in the Audiobookshelf application affecting versions prior to 2.32.2. The issue occurs in the POST /api/filesystem/pathexists endpoint, which uses a string prefix check (String.startsWith()) to verify if a resolved file path is within an authorized library folder.

This check is flawed because it fails when sibling directories share a common prefix (for example, /audiobooks and /audiobooks-private). As a result, authenticated users with upload permissions can probe for the existence of files outside their authorized library folder boundaries.

The vulnerability allows attackers to discover whether specific files or directories exist in restricted areas without accessing the file contents, potentially revealing sensitive filesystem layout information.

The root cause is that the code uses a simple string prefix comparison instead of a proper path boundary check. A correct path-aware function exists in the codebase but was not used in this endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with upload permissions to probe for the existence of files and directories outside their authorized library folders.

While it does not allow direct access to file contents, it can reveal sensitive information about the filesystem layout, which could be leveraged in further attacks or privacy violations.

The impact is limited to confidentiality, with no direct impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the POST /api/filesystem/pathexists endpoint in Audiobookshelf versions prior to 2.32.2, where an improper path validation allows probing of file existence outside authorized directories.

To detect exploitation attempts on your system, you can monitor HTTP POST requests to the /api/filesystem/pathexists endpoint, especially those made by authenticated users with upload permissions.

You may use network monitoring or web server logs to identify suspicious requests that include file paths with prefixes similar to authorized directories but targeting sibling directories (e.g., paths starting with /audiobooks-private when /audiobooks is authorized).

Example commands to detect such activity could include:

• Using grep on web server logs to find POST requests to the vulnerable endpoint: grep 'POST /api/filesystem/pathexists' /var/log/nginx/access.log
• Searching for suspicious path parameters in request bodies or logs that include path prefixes similar to authorized folders but targeting sibling directories.
• Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /api/filesystem/pathexists and analyze payloads for path probing attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Audiobookshelf to version 2.32.2 or later, where the vulnerability is fixed by replacing the insecure startsWith() path check with a proper path boundary validation function.

If upgrading immediately is not possible, consider restricting access to the POST /api/filesystem/pathexists endpoint to only trusted users or networks, and monitor for suspicious activity as a temporary measure.

Additionally, review and limit upload permissions to only necessary users to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users with upload permissions to probe for the existence of files outside their authorized library folder boundaries, revealing sensitive filesystem layout information without accessing file contents.

While the confidentiality impact is limited to file existence disclosure, this information leakage could potentially aid in further attacks or privacy violations.

Such unauthorized information disclosure may affect compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive information and preventing unauthorized access or exposure.

Useful 0 Not Useful 0