CVE-2026-42883

Name of the Vulnerable Software and Affected Versions Audiobookshelf versions prior to 2.32.2

Description An issue exists in the 'GET /api/libraries/:id/download' endpoint where the system validates if a user has access to the library specified in the URL path but fails to constrain the fetched downloadable items to that specific library. Consequently, an authenticated user with download permissions and access to at least one library can exfiltrate the full file contents of items from any other library, including those to which they are explicitly denied access, by providing specific item IDs.

Recommendations Update to version 2.32.2.