CVE-2026-42885
Path Traversal in Audiobookshelf Server
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advplyr | audiobookshelf | to 2.32.2 (exc) |
| advplyr | audiobookshelf | to 2.33.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with upload permissions to probe for the existence of files outside their authorized library folder boundaries, revealing sensitive filesystem layout information without accessing file contents.
While the confidentiality impact is limited to file existence disclosure, this information leakage could potentially aid in further attacks or privacy violations.
Such unauthorized information disclosure may affect compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding sensitive information and preventing unauthorized access or exposure.
Can you explain this vulnerability to me?
CVE-2026-42885 is a vulnerability in the Audiobookshelf application affecting versions prior to 2.32.2. The issue occurs in the POST /api/filesystem/pathexists endpoint, which uses a string prefix check (String.startsWith()) to verify if a resolved file path is within an authorized library folder.
This check is flawed because it fails when sibling directories share a common prefix (for example, /audiobooks and /audiobooks-private). As a result, authenticated users with upload permissions can probe for the existence of files outside their authorized library folder boundaries.
The vulnerability allows attackers to discover whether specific files or directories exist in restricted areas without accessing the file contents, potentially revealing sensitive filesystem layout information.
The root cause is that the code uses a simple string prefix comparison instead of a proper path boundary check. A correct path-aware function exists in the codebase but was not used in this endpoint.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with upload permissions to probe for the existence of files and directories outside their authorized library folders.
While it does not allow direct access to file contents, it can reveal sensitive information about the filesystem layout, which could be leveraged in further attacks or privacy violations.
The impact is limited to confidentiality, with no direct impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the POST /api/filesystem/pathexists endpoint in Audiobookshelf versions prior to 2.32.2, where an improper path validation allows probing of file existence outside authorized directories.
To detect exploitation attempts on your system, you can monitor HTTP POST requests to the /api/filesystem/pathexists endpoint, especially those made by authenticated users with upload permissions.
You may use network monitoring or web server logs to identify suspicious requests that include file paths with prefixes similar to authorized directories but targeting sibling directories (e.g., paths starting with /audiobooks-private when /audiobooks is authorized).
Example commands to detect such activity could include:
- Using grep on web server logs to find POST requests to the vulnerable endpoint: grep 'POST /api/filesystem/pathexists' /var/log/nginx/access.log
- Searching for suspicious path parameters in request bodies or logs that include path prefixes similar to authorized folders but targeting sibling directories.
- Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /api/filesystem/pathexists and analyze payloads for path probing attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Audiobookshelf to version 2.32.2 or later, where the vulnerability is fixed by replacing the insecure startsWith() path check with a proper path boundary validation function.
If upgrading immediately is not possible, consider restricting access to the POST /api/filesystem/pathexists endpoint to only trusted users or networks, and monitor for suspicious activity as a temporary measure.
Additionally, review and limit upload permissions to only necessary users to reduce the risk of exploitation.