CVE-2026-42883 - Vulnerability Details

- Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint

Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining them to that library. An authenticated user with download permission and access to any one library can exfiltrate the full file contents of items belonging to any other library, including libraries they are explicitly denied access to. This vulnerability is fixed in 2.32.2.

Published: 2026-05-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Audiobookshelf’s bulk‑download endpoint allows an authenticated user with download permission to request any file by its ID, regardless of the library to which the user belongs. The result is that the user can read full file contents from libraries to which they are explicitly denied access, leading to confidential data exposure. The weakness is an access‑control flaw (CWE‑863).

Affected Systems

All installations of the advplyr Audiobookshelf service running versions earlier than 2.32.2 are affected. The issue resides in the GET /api/libraries/:id/download endpoint that does not constrain downloaded items to the library in the path.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and possess download permission, but once these prerequisites are met a simple crafted HTTP GET request will retrieve any file, making exploitation straightforward and low‑effort.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

advplyr

audiobookshelf

affected

Version	Status	Constraints
`< 2.32.2`	affected	—

No data.

Vendor Product Confidence Versions

Advplyr

Audiobookshelf

100%

Version	Status	Scheme	Platform
`[0,2.32.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Audiobookshelf to version 2.32.2 or later. The fix is contained in the latest release.
Revoke or limit download permissions for users who do not need access to all libraries, ensuring that only authorized users can trigger the bulk‑download endpoint.
Apply additional application layer controls such as validating that requested file IDs belong to the library in the URL path before serving the file content.

Generated by OpenCVE AI on May 11, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-6rvg-w3f5-9gq5

History

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Advplyr Advplyr audiobookshelf
Vendors & Products		Advplyr Advplyr audiobookshelf

Mon, 11 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining them to that library. An authenticated user with download permission and access to any one library can exfiltrate the full file contents of items belonging to any other library, including libraries they are explicitly denied access to. This vulnerability is fixed in 2.32.2.
Title		Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint
Weaknesses		CWE-863
References		https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-6rvg-w3f5-9gq5
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Advplyr Audiobookshelf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T19:51:43.211Z

Updated: 2026-05-12T16:32:16.291Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42883

Vulnrichment

Updated: 2026-05-12T16:32:04.794Z

NVD

Status : Received

Published: 2026-05-11T20:25:44.593

Modified: 2026-05-12T17:16:20.530

Link: CVE-2026-42883

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T23:15:08Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object