CVE-2026-44776
Information Disclosure in Kavita Reading Server
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kareadita | kavita | to 0.9.0 (exc) |
| kareadita | kavita | 0.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44776 is an Insecure Direct Object Reference (IDOR) vulnerability in Kavita version v0.8.9.1 and earlier. It occurs because several API endpoints do not enforce proper library-level authorization checks. This means that a low-privileged authenticated user who knows or can guess identifiers like chapterId, volumeId, or seriesId can access files, query file sizes, and read metadata from libraries they are not authorized to access.
The affected endpoints include /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. The vulnerability allows unauthorized users to bypass access controls by exploiting the predictable nature of these IDs.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive content stored in Kavita libraries. An attacker with low privileges can download full file contents, obtain file size information, and read metadata from libraries they should not have access to. This compromises confidentiality and may expose private or restricted information.
Because the IDs are sequential and easily guessable, the attacker can enumerate many resources, increasing the scope of unauthorized data exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the affected Kavita API endpoints with an authenticated user who has the Download role but does not have access to certain libraries. By guessing or enumerating sequential IDs such as chapterId, volumeId, or seriesId, you can check if unauthorized access to files, file sizes, or metadata is possible.
Suggested commands involve making HTTP requests to the vulnerable endpoints with different IDs to see if access is granted without proper authorization. For example, using curl or similar tools:
- curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Download/chapter?chapterId=<guessed_id>
- curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Download/volume-size?volumeId=<guessed_id>
- curl -H "Authorization: Bearer <token>" https://<kavita-server>/api/Chapter?chapterId=<guessed_id>
If these requests return data for libraries the user should not have access to, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Kavita to version 0.9.0 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, restrict access to the affected API endpoints (/api/Download/* and /api/Chapter) to trusted users only, and monitor usage closely.
Additionally, review and implement proper library-level authorization checks in the application code, ensuring that methods like UserRepository.HasAccessToSeries() or SeriesRepository.GetSeriesForChapter() are used to verify access before serving content.