Improper Access Control in janeczku/calibre-web
Description
Improper Access Control in Pypi calibreweb prior to 0.6.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in calibreweb prior to 0.6.16 allows users without permission to create public shelves, potentially exposing private content.
Vulnerability
In calibreweb versions before 0.6.16, the shelf creation feature lacked proper access control. When creating or editing a shelf, the code checked the is_public flag but failed to correctly validate whether the user had the role_edit_shelfs permission. This allowed any authenticated user to create a public shelf by setting the is_public parameter, even if they were not authorized to do so [2][4].
Exploitation
An attacker with any valid user account could exploit this by sending a request to create or edit a shelf with the is_public flag set to "on". No special network access or additional privileges were required beyond normal authenticated access to the web interface.
Impact
Successful exploitation allowed the attacker to create public shelves, which could contain books or metadata that were intended to be private. This resulted in unauthorized information disclosure, as the shelf's contents became visible to other users or the public.
Mitigation
The vulnerability was fixed in calibreweb version 0.6.16, released on 2022-01-30 [2]. The fix, implemented in commit 0c0313f [4], corrected the permission check so that only users with the role_edit_shelfs permission can set a shelf as public. Users should upgrade to version 0.6.16 or later.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
calibrewebPyPI | < 0.6.16 | 0.6.16 |
Affected products
2- janeczku/janeczku/calibre-webv5Range: unspecified
Patches
10c0313f375bePrevent creating a public shelf without permission
1 file changed · +1 −1
cps/shelf.py+1 −1 modified@@ -248,7 +248,7 @@ def create_edit_shelf(shelf, page_title, page, shelf_id=False): if not current_user.role_edit_shelfs() and to_save.get("is_public") == "on": flash(_(u"Sorry you are not allowed to create a public shelf"), category="error") return redirect(url_for('web.index')) - is_public = 1 if to_save.get("is_public") else 0 + is_public = 1 if to_save.get("is_public") == "on" else 0 if config.config_kobo_sync: shelf.kobo_sync = True if to_save.get("kobo_sync") else False if shelf.kobo_sync:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vgmw-9cww-qq99ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0273ghsaADVISORY
- github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcfghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-22.yamlghsaWEB
- huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.