VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 15, 2024· Updated Nov 15, 2024

Improper Access Control in janeczku/calibre-web

CVE-2021-3987

Description

An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the create_shelf method in shelf.py not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An improper access control vulnerability in Calibre-Web allows users without public shelf permissions to create public shelves.

Vulnerability

Detail

CVE-2021-3987 is an improper access control vulnerability in Calibre-Web, a web application for browsing and reading eBooks stored in a Calibre database [2]. The flaw exists in the create_shelf method within shelf.py. When a user submits a request to create a shelf, the method does not verify whether the user has the necessary permissions to create a public shelf. Consequently, any authenticated user, even those without the role_edit_shelfs permission, can create public shelves [1].

Exploitation and

Impact

An attacker with any level of authenticated access can exploit this by sending a POST request to the /shelf/create endpoint. No special privileges are needed beyond a valid login. This allows unauthorized creation of public shelves, which may expose content or lead to further unauthorized actions within the application [1]. The severity is amplified because Calibre-Web supports fine-grained per-user permissions, and this bypass undermines that access control model.

Mitigation

The vulnerability was fixed in commit bcdc976 by adding a permission check before creating a shelf [3]. If the current user lacks the required role, the request is denied with an error message and redirected. Users should update to a version that includes this commit or later. The issue was reported via a bug bounty program [4].

References
  1. NVD - CVE-2021-3987
  2. GitHub - janeczku/calibre-web: :books: Web app for browsing, reading and downloading eBooks stored in a Calibre database
  3. Added missing check for creating public shelfs · janeczku/calibre-web@bcdc976
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
calibrewebPyPI
< 0.6.150.6.15

Affected products

2

Patches

1
bcdc97641447

Added missing check for creating public shelfs

https://github.com/janeczku/calibre-webOzzie IsaacsNov 20, 2021via ghsa
commit
1 file changed · +7 2
  • cps/shelf.py+7 2 modified
    @@ -224,8 +224,13 @@ def remove_from_shelf(shelf_id, book_id):
 @shelf.route("/shelf/create", methods=["GET", "POST"])
 @login_required
 def create_shelf():
-    shelf = ub.Shelf()
-    return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate")
+    if not current_user.role_edit_shelfs() and request.method == 'POST':
+        flash(_(u"Sorry you are not allowed to create a public shelf"), category="error")
+        return redirect(url_for('web.index'))
+    else:
+        shelf = ub.Shelf()
+        return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate")
+
 
 
 @shelf.route("/shelf/edit/<int:shelf_id>", methods=["GET", "POST"])

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.