Origin validation error in Calibre - CVE-2026-27824
Published: June 29, 2026
Vulnerability identifier: #VU135811
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-27824
CWE-ID: CWE-346
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Calibre
Affected software:
Calibre
Calibre
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass brute-force protection and perform unlimited password guessing attempts.
The vulnerability exists due to improper origin validation in the Content Server brute-force protection mechanism when processing authentication requests with a user-supplied X-Forwarded-For header. A remote attacker can send authentication requests with changing X-Forwarded-For values to bypass brute-force protection and perform unlimited password guessing attempts.
The issue affects deployments with authentication and ban settings enabled, and can also enable username enumeration through response differences.
How to mitigate CVE-2026-27824
Install security update from vendor's website.