Missing Authentication for Critical Function in Kavita - #VU130156
Published: May 5, 2026
Vulnerability identifier: #VU130156
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kareadita
Affected software:
Kavita
Kavita
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive image data.
The vulnerability exists due to missing authentication for critical function in the /api/Reader/image endpoint when handling image requests. A remote attacker can send a specially crafted request with chapterId and page values to disclose sensitive image data.
The apiKey parameter is accepted but not validated, and sequential chapter identifiers allow trivial enumeration of page images across libraries.
Remediation
Install security update from vendor's website.