Description
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kavita ReaderController.GetImage endpoint was marked AllowAnonymous, allowing any client to request chapter images without authentication. The apiKey parameter given in the request was never checked, so an attacker could simply specify any integer ID and retrieve the corresponding image. Because entity identifiers are sequential, enumeration of all content on the server becomes trivial, leading to full disclosure of media assets and potential brand or proprietary information.

Affected Systems

Kareadita’s Kavita reading server, versions prior to 0.9.0, is affected. The vulnerability resides in the cross‑platform Reader API that serves images from any library the server hosts.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, with no EPSS score available and the vulnerability not listed in CISA KEV. The attack vector is remote network access to the /api/Reader/image endpoint, requiring no special credentials; enumeration of all image content is effectively immediate once access is gained.

Generated by OpenCVE AI on May 26, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kavita to version 0.9.0 or later, where the vulnerability is fixed.
  • If an upgrade is not immediately possible, restrict network access to the /api/Reader/image endpoint by configuring a firewall or reverse‑proxy rule to allow only authorized IPs or authenticated users.
  • Monitor server logs for unauthorized image requests and set up alerts for any repeated attempts to enumerate image IDs.

Generated by OpenCVE AI on May 26, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Kavita
Kavita kavita
Vendors & Products Kavita
Kavita kavita

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.
Title Kavita: No authentication at /api/Reader/image
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kavita Kavita
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T13:53:07.589Z

Reserved: 2026-05-07T19:20:44.689Z

Link: CVE-2026-44775

cve-icon Vulnrichment

Updated: 2026-05-27T13:53:04.085Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T18:16:51.347

Modified: 2026-06-17T10:51:18.830

Link: CVE-2026-44775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:15:29Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function