SB20260505102 - Missing Authentication for Critical Function in Kavita



SB20260505102 - Missing Authentication for Critical Function in Kavita

Published: May 5, 2026

Security Bulletin ID SB20260505102
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-44775)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive image data.

The vulnerability exists due to missing authentication for critical function in the /api/Reader/image endpoint when handling image requests. A remote attacker can send a specially crafted request with chapterId and page values to disclose sensitive image data.

The apiKey parameter is accepted but not validated, and sequential chapter identifiers allow trivial enumeration of page images across libraries.


Remediation

Install update from vendor's website.