Compliance Impact

This vulnerability allows unauthorized access to sensitive library content by bypassing library-level authorization checks. Such unauthorized access to protected data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls to prevent unauthorized disclosure of personal or sensitive information.

Because the vulnerability enables low-privileged users to download files and read metadata from libraries they are not authorized to access, it increases the risk of data breaches and non-compliance with standards mandating confidentiality and integrity of data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-44776 is an Insecure Direct Object Reference (IDOR) vulnerability in Kavita version v0.8.9.1 and earlier. It occurs because several API endpoints do not enforce proper library-level authorization checks. This means that a low-privileged authenticated user who knows or can guess identifiers like chapterId, volumeId, or seriesId can access files, query file sizes, and read metadata from libraries they are not authorized to access.

The affected endpoints include /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. The vulnerability allows unauthorized users to bypass access controls by exploiting the predictable nature of these IDs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive content stored in Kavita libraries. An attacker with low privileges can download full file contents, obtain file size information, and read metadata from libraries they should not have access to. This compromises confidentiality and may expose private or restricted information.

Because the IDs are sequential and easily guessable, the attacker can enumerate many resources, increasing the scope of unauthorized data exposure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the affected Kavita API endpoints with an authenticated user who has the Download role but does not have access to certain libraries. By guessing or enumerating sequential IDs such as chapterId, volumeId, or seriesId, you can check if unauthorized access to files, file sizes, or metadata is possible.

Suggested commands involve making HTTP requests to the vulnerable endpoints with different IDs to see if access is granted without proper authorization. For example, using curl or similar tools:

• curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Download/chapter?chapterId=<guessed_id>
• curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Download/volume-size?volumeId=<guessed_id>
• curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Chapter?chapterId=<guessed_id>

If these requests return data for libraries the user should not have access to, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Kavita to version 0.9.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the affected API endpoints (/api/Download/* and /api/Chapter) to trusted users only, and monitor usage closely.

Additionally, review and implement proper library-level authorization checks in the application code, ensuring that methods like UserRepository.HasAccessToSeries() or SeriesRepository.GetSeriesForChapter() are used to verify access before serving content.

Useful 0 Not Useful 0