Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
Published: 2026-02-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of IP–based brute‑force protection
Action: Patch
AI Analysis

Impact

This flaw allows an attacker to subvert calibre’s content‑server login protection by injecting a forged X‑Forwarded‑For header. Because the header is accepted without validation, the ban key that should block repeated login attempts does not change when the apparent IP address changes, thus disabling the protection. The issue aligns with CWE‑307 and CWE‑346 and carries a CVSS base score of 5.3, indicating a moderate risk that could lead to credential compromise if left unaddressed.

Affected Systems

The vulnerability affects the calibre e‑book manager (vendor kovidgoyal) and applies to all releases older than version 9.4.0. Targeted systems are servers running calibre’s content server that are exposed to the Internet.

Risk and Exploitability

With an EPSS score below 1 % the statewide likelihood of exploitation is low, yet the flaw is directly exploitable by any remote user simply by altering an HTTP header. The vulnerability is not listed in CISA’s KEV catalog, but attackers can repeatedly attempt password stuffing once a ban is triggered, making it particularly dangerous for publicly reachable calibre servers.

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade calibre to version 9.4.0 or newer to apply the vendor fix.
  • If an upgrade cannot be performed immediately, configure the content server to trust only known reverse proxies and validate or strip the X‑Forwarded‑For header from untrusted requests.
  • Implement additional authentication controls such as rate limiting or two‑factor authentication to mitigate credential‑guessing during the remediation window.

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre

Mon, 02 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
Title calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing
Weaknesses CWE-307
CWE-346
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T12:54:32.182Z

Reserved: 2026-02-24T02:32:39.799Z

Link: CVE-2026-27824

cve-icon Vulnrichment

Updated: 2026-03-02T12:54:28.301Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:39.973

Modified: 2026-03-04T16:39:05.407

Link: CVE-2026-27824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses