CVE-2026-44776
Description
Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kavita prior to 0.9.0 does not enforce library-level access on download, size-check, and chapter metadata endpoints, allowing low-privileged users to access files outside their libraries.
Vulnerability
Kavita versions prior to 0.9.0 contain an Insecure Direct Object Reference (IDOR) vulnerability in the /api/Download/ and /api/Chapter endpoints. Specifically, endpoints /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can access restricted content. The DownloadController is gated only by the DownloadPolicy (checking the Download role) but never verifies library membership, as shown in the HasDownloadPermission() helper which only checks the user's role [1].
Exploitation
An attacker needs valid low-privileged credentials with the Download role. The attacker can directly call the affected API endpoints with a known or guessed chapterId, volumeId, or seriesId from a restricted library. The repository methods accept the user-supplied IDs without any library-scoped filtering, so no race condition or user interaction is required [1].
Impact
Successful exploitation allows the attacker to download full file contents, query file sizes, and read metadata (chapter metadata) for content in libraries they are not authorized to access. This leads to unauthorized information disclosure and potentially exfiltration of sensitive files [1].
Mitigation
The vulnerability is fixed in Kavita version 0.9.0. Users should upgrade to this version or later. No workarounds are available for older versions [1]. In the fixed version, the affected endpoints enforce library-level authorization. There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing library-level authorization checks in download, size-check, and chapter metadata endpoints allow user-controlled entity IDs to bypass access controls."
Attack vector
An authenticated low-privileged user who has the Download role but is not assigned to a library can access content in that library by supplying a known or guessed `chapterId`, `volumeId`, or `seriesId` to the affected endpoints. Because Kavita entity IDs are sequential integers, an attacker can trivially enumerate all content. The attacker sends a GET request to `/api/Download/chapter-size?chapterId=N`, `/api/Download/chapter?chapterId=N`, or `/api/Chapter?chapterId=N` (or the volume/series variants) with their own bearer token. The server returns file size, full file download, or chapter metadata without verifying the user has access to the owning library [ref_id=1].
Affected code
The `DownloadController` (API/Controllers/DownloadController.cs) is gated only by `DownloadPolicy` (checking the Download role) and never verifies library-level authorization. The `HasDownloadPermission()` helper only checks the user's role, not library membership. All six download/size-check endpoints pass user-supplied IDs directly to repository methods like `GetFilesForChapterAsync` that perform no library-scoped filtering. Similarly, `ChapterController.GetChapter` (API/Controllers/ChapterController.cs) returns metadata for any `chapterId` without library access checks.
What the fix does
The advisory recommends that each affected endpoint verify the requesting user has access to the library that owns the requested entity before returning data. The existing `UserRepository.HasAccessToSeries(userId, seriesId)` and `SeriesRepository.GetSeriesForChapter(chapterId, userId)` methods already implement the correct library-scoped access checks and should be called in each endpoint, returning 403/404 when access is denied [ref_id=1]. The fix is implemented in version 0.9.0.
Preconditions
- authAttacker must be an authenticated user with the Download role
- inputAttacker must know or guess a chapterId, volumeId, or seriesId belonging to a restricted library
- inputEntity IDs are sequential integers, making enumeration trivial
Reproduction
The advisory includes a JavaScript proof of concept that can be executed in the browser developer console. It first discovers a chapterId from a private library while logged in as admin, then logs in as a low-privileged test user (who has the Download role but is not assigned to that library), and demonstrates the test user can download the private chapter's files and read its metadata [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.