CVE-2026-44775
Deferred Deferred - Pending Action
Unauthenticated Image Access in Kavita Reading Server

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44775
EUVD
EUVD-2026-31936
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
kavita kavita to 0.9.0 (exc)
kareadita kavita to 0.9.0 (exc)
kareadita kavita to 0.8.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44775 is a vulnerability in the Kavita reading server affecting versions prior to 0.9.0. The issue is that the ReaderController.GetImage endpoint is marked with [AllowAnonymous], which means it allows unauthenticated access to page images from any chapter in any library.

Although the endpoint accepts an apiKey parameter, this key is never validated, allowing anyone to access images without proper authentication.

Because entity IDs are sequential integers, an attacker can easily enumerate all content on the server by iterating through these IDs, effectively reading every page image across all libraries without authorization.

The root cause is missing authentication and authorization checks in the GetImage method of the ReaderController class.

Impact Analysis

This vulnerability allows an unauthenticated attacker to access all page images stored on the Kavita server without any authorization.

Such unauthorized access can lead to information disclosure of potentially sensitive or private content.

Attackers can enumerate all content by exploiting the sequential nature of entity IDs, which means they can systematically retrieve all images from all chapters and libraries.

This could result in privacy breaches, intellectual property theft, or exposure of confidential materials.

Detection Guidance

This vulnerability can be detected by attempting to access the /api/Reader/image endpoint without authentication and observing if page images from any chapter or library are returned.

A simple test command using curl could be:

  • curl -v "http://<kavita-server>/api/Reader/image?chapterId=1&page=1"

If the server returns image data without requiring a valid apiKey or authentication, the vulnerability is present.

Additionally, iterating through sequential chapterId and page parameters can confirm if content enumeration is possible.

Mitigation Strategies

Immediate mitigation steps include upgrading Kavita to version 0.9.0 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the /api/Reader/image endpoint by network controls such as firewall rules or reverse proxy authentication.

Additionally, remove or disable the [AllowAnonymous] attribute on the ReaderController.GetImage endpoint to enforce authentication.

Ensure that any apiKey parameters are properly validated against stored user keys and that library-scoped authorization checks are implemented.

Compliance Impact

The vulnerability allows unauthenticated access to all page images across any chapter or library in the Kavita server, leading to pre-authentication information disclosure.

Such unauthorized exposure of potentially sensitive content could violate data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal or sensitive data.

Because the vulnerability enables trivial enumeration and access without authentication or authorization, it undermines confidentiality and access control principles critical for compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart