PT-2026-38908 · Kareadita · Kavita
Kevin Stubbings
+1
·
Published
2026-05-08
·
Updated
2026-05-26
·
CVE-2026-44775
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Kavita versions prior to 0.9.0
Description
The
ReaderController.GetImage endpoint is decorated with [AllowAnonymous], which permits unauthenticated access to page images from any chapter in any library. Although the endpoint accepts an apiKey parameter, it is not validated. Because entity IDs are sequential integers, an attacker can enumerate all content on the server.Recommendations
Update to version 0.9.0.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kavita