Description
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix (e.g., /audiobooks vs /audiobooks-private), allowing authenticated users with upload permission to probe file existence outside their authorized library folder boundaries. This vulnerability is fixed in 2.32.2.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Audiobookshelf's implementation of the POST /api/filesystem/pathexists endpoint, which uses String.startsWith() to verify that a resolved file path remains inside a configured library folder. The check incorrectly allows sibling directories that share a common prefix (for example, /audiobooks vs /audiobooks-private) to bypass the restriction, letting an authenticated user probe whether files exist outside the permitted library directory. This flaw can expose the existence of arbitrary files on the host file system, providing limited information disclosure. The weakness aligns with CWE‑22, which describes path traversal or relative path referencing.

Affected Systems

Audiobookshelf by advplyr, version 2.32.1 and earlier. The issue is fixed starting with 2.32.2. The vulnerability applies to installations that expose the POST /api/filesystem/pathexists endpoint and configure multiple libraries whose names share prefixes.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, reflecting that the flaw only enables file existence checks and does not allow code execution or privilege escalation. EPSS data is not available, so the current likelihood of exploitation remains uncertain. The vulnerability is not yet listed in CISA’s KEV catalog. Attackers must be authenticated and possess upload permission within Audiobookshelf to exploit the flaw, so the attack vector is limited to a trusted user. Still, the ability to discover out‑of‑scope files can assist in reconnaissance for future attacks.

Generated by OpenCVE AI on May 11, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Audiobookshelf to version 2.32.2 or newer to apply the built‑in path validation fix.
  • If patching cannot be applied immediately, revoke upload permissions for users who do not need them or disable upload functionality for the affected libraries while the issue is unresolved.
  • Rename library folders to avoid common prefixes (e.g., change /audiobooks to /audiobooks_lib) so that the prefix check cannot be abused; verify that new names do not share leading substrings with other libraries.

Generated by OpenCVE AI on May 11, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Advplyr
Advplyr audiobookshelf
Vendors & Products Advplyr
Advplyr audiobookshelf

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix (e.g., /audiobooks vs /audiobooks-private), allowing authenticated users with upload permission to probe file existence outside their authorized library folder boundaries. This vulnerability is fixed in 2.32.2.
Title Audiobookshelf: Path prefix bypass in filesystem existence check leaks out-of-scope file existence
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Advplyr Audiobookshelf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:22:08.300Z

Reserved: 2026-04-30T18:49:06.712Z

Link: CVE-2026-42885

cve-icon Vulnrichment

Updated: 2026-05-11T20:21:04.851Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T20:25:44.877

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-42885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:17Z

Weaknesses