VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 17, 2022· Updated Aug 3, 2024

Business Logic Errors in janeczku/calibre-web

CVE-2021-4171

Description

calibre-web is vulnerable to Business Logic Errors

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Calibre-Web allows creation of duplicate public shelves due to a business logic error in shelf name uniqueness check.

Vulnerability

Calibre-Web, a web-based eBook management application [1], contains a business logic error in the shelf creation and editing functionality. The check_shelf_is_unique function used shelf.is_public (which defaults to 0 before assignment) instead of the intended is_public parameter when verifying uniqueness of public shelf names. This allowed users with permission to create public shelves to bypass the uniqueness constraint and create multiple public shelves with identical names. The vulnerability affects versions prior to commit 3e0d876 [3].

Exploitation

An attacker must be a logged-in user with the role_edit_shelfs permission (i.e., allowed to create public shelves). The attacker can create a public shelf with a chosen name, then create another public shelf with the same name. Because the uniqueness check incorrectly evaluated the first shelf's is_public as 0 (non-public) at the time of the check, the duplicate name was accepted. No special network position or additional user interaction is required beyond the attacker's own actions.

Impact

Successful exploitation results in the creation of multiple public shelves with the same name. This violates data integrity and can lead to confusion among users browsing the library, as shelves are no longer uniquely identifiable. The vulnerability does not directly enable information disclosure, privilege escalation, or remote code execution; it is a business logic flaw that degrades the application's expected behavior.

Mitigation

The issue was fixed in commit 3e0d876 [3] by passing the is_public parameter to check_shelf_is_unique and assigning shelf.is_public after the uniqueness check. Users should update Calibre-Web to a version that includes this commit (e.g., any release after January 2022). As a workaround, administrators can restrict the role_edit_shelfs permission to trusted users only. The vulnerability was reported via huntr.dev [4].

References
  1. GitHub - janeczku/calibre-web: :books: Web app for browsing, reading and downloading eBooks stored in a Calibre database
  2. Prevent 2 public shelfs with same names due to changing public property · janeczku/calibre-web@3e0d876
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
calibrewebPyPI
< 0.6.150.6.15

Affected products

2

Patches

1
3e0d8763c377

Prevent 2 public shelfs with same names due to changing public property

https://github.com/janeczku/calibre-webOzzieisaacsDec 26, 2021via ghsa
commit
1 file changed · +5 4
  • cps/shelf.py+5 4 modified
    @@ -248,12 +248,13 @@ def create_edit_shelf(shelf, page_title, page, shelf_id=False):
         if not current_user.role_edit_shelfs() and to_save.get("is_public") == "on":
             flash(_(u"Sorry you are not allowed to create a public shelf"), category="error")
             return redirect(url_for('web.index'))
-        shelf.is_public = 1 if to_save.get("is_public") else 0
+        is_public = 1 if to_save.get("is_public") else 0
         if config.config_kobo_sync:
             shelf.kobo_sync = True if to_save.get("kobo_sync") else False
         shelf_title = to_save.get("title", "")
-        if check_shelf_is_unique(shelf, shelf_title, shelf_id):
+        if check_shelf_is_unique(shelf, shelf_title, is_public, shelf_id):
             shelf.name = shelf_title
+            shelf.is_public = is_public
             if not shelf_id:
                 shelf.user_id = int(current_user.id)
                 ub.session.add(shelf)
@@ -284,12 +285,12 @@ def create_edit_shelf(shelf, page_title, page, shelf_id=False):
                                  sync_only_selected_shelves=sync_only_selected_shelves)
 
 
-def check_shelf_is_unique(shelf, title, shelf_id=False):
+def check_shelf_is_unique(shelf, title, is_public, shelf_id=False):
     if shelf_id:
         ident = ub.Shelf.id != shelf_id
     else:
         ident = true()
-    if shelf.is_public == 1:
+    if is_public == 1:
         is_shelf_name_unique = ub.session.query(ub.Shelf) \
                                    .filter((ub.Shelf.name == title) & (ub.Shelf.is_public == 1)) \
                                    .filter(ident) \

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.