CVE-2026-44775
Unauthenticated Image Access in Kavita Reading Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kavita | kavita | to 0.9.0 (exc) |
| kareadita | kavita | to 0.9.0 (exc) |
| kareadita | kavita | to 0.8.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44775 is a vulnerability in the Kavita reading server affecting versions prior to 0.9.0. The issue is that the ReaderController.GetImage endpoint is marked with [AllowAnonymous], which means it allows unauthenticated access to page images from any chapter in any library.
Although the endpoint accepts an apiKey parameter, this key is never validated, allowing anyone to access images without proper authentication.
Because entity IDs are sequential integers, an attacker can easily enumerate all content on the server by iterating through these IDs, effectively reading every page image across all libraries without authorization.
The root cause is missing authentication and authorization checks in the GetImage method of the ReaderController class.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to access all page images stored on the Kavita server without any authorization.
Such unauthorized access can lead to information disclosure of potentially sensitive or private content.
Attackers can enumerate all content by exploiting the sequential nature of entity IDs, which means they can systematically retrieve all images from all chapters and libraries.
This could result in privacy breaches, intellectual property theft, or exposure of confidential materials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the /api/Reader/image endpoint without authentication and observing if page images from any chapter or library are returned.
A simple test command using curl could be:
- curl -v "http://<kavita-server>/api/Reader/image?chapterId=1&page=1"
If the server returns image data without requiring a valid apiKey or authentication, the vulnerability is present.
Additionally, iterating through sequential chapterId and page parameters can confirm if content enumeration is possible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Kavita to version 0.9.0 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, restrict access to the /api/Reader/image endpoint by network controls such as firewall rules or reverse proxy authentication.
Additionally, remove or disable the [AllowAnonymous] attribute on the ReaderController.GetImage endpoint to enforce authentication.
Ensure that any apiKey parameters are properly validated against stored user keys and that library-scoped authorization checks are implemented.