CVE-2026-44775
Description
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated access to page images in Kavita due to missing validation on apiKey parameter and sequential IDs, fixed in 0.9.0.
Vulnerability
The ReaderController.GetImage endpoint in Kavita versions prior to 0.9.0 is annotated with [AllowAnonymous], allowing unauthenticated access to page images. While the endpoint accepts an apiKey parameter, it is never validated, accepting any arbitrary string [1][2]. The only required inputs are chapterId (sequential integer) and page number. This affects all versions before 0.9.0.
Exploitation
An unauthenticated attacker can access page images from any chapter in any library by sending requests to /api/Reader/image?chapterId=&page=&apiKey=anything. Since chapter IDs are sequential integers starting from 1, an attacker can trivially enumerate all chapters and pages.
Impact
Successful exploitation allows an unauthenticated attacker to view all page images stored on the server, leading to unauthorized disclosure of sensitive content (e.g., book pages, manga) from all libraries. No authentication or special privileges are required.
Mitigation
The vulnerability is fixed in Kavita version 0.9.0 [1]. Users should upgrade to 0.9.0 or later. No workaround is available without applying the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check — the `[AllowAnonymous]` attribute on `GetImage` allows unauthenticated access, and the `apiKey` parameter is never validated."
Attack vector
An unauthenticated attacker with network access to a Kavita instance sends a GET request to `/api/Reader/image` with a `chapterId` (sequential integer), a `page` number, and any arbitrary string as `apiKey`. The endpoint returns the requested page image without any authentication or authorization check [CWE-306]. Because entity IDs are sequential integers, the attacker can trivially enumerate all chapters (1, 2, 3, ...) and pages (0, 1, 2, ...) to retrieve every page image across all libraries [ref_id=1].
Affected code
The vulnerable endpoint is `ReaderController.GetImage` in `API/Controllers/ReaderController.cs` (line 116-133). The method is decorated with `[AllowAnonymous]`, and the class itself has no `[Authorize]` attribute. The `apiKey` parameter is accepted but never validated against any stored value.
What the fix does
The advisory recommends removing the `[AllowAnonymous]` attribute from `GetImage` and adding authentication and library-level access checks. Specifically, it suggests calling `SeriesRepository.GetSeriesForChapter(chapterId, userId)` to enforce library-scoped authorization before serving content. If anonymous access is needed for external reader integrations, the `apiKey` parameter should be validated against the user's stored API key via `UserRepository`, and library access should still be enforced for the resolved user [ref_id=1]. The fix is implemented in version 0.9.0.
Preconditions
- networkAttacker must have network access to a running Kavita instance
- authNo authentication or prior knowledge required beyond the server's hostname
Reproduction
`curl -o stolen-page.png "https://<kavita-host>/api/Reader/image?chapterId=1&page=0&apiKey=anything"` [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.