SB20260505102 - Missing Authentication for Critical Function in Kavita
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-44775)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive image data.
The vulnerability exists due to missing authentication for critical function in the /api/Reader/image endpoint when handling image requests. A remote attacker can send a specially crafted request with chapterId and page values to disclose sensitive image data.
The apiKey parameter is accepted but not validated, and sequential chapter identifiers allow trivial enumeration of page images across libraries.
Remediation
Install update from vendor's website.