The vulnerability is an IDOR in Kavita's download, size‑check, and chapter metadata endpoints that lack library‑level authorization checks in versions prior to 0.9.0. A low‑privileged user who can guess or discover a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This allows the attacker to access private media files and associated information, compromising confidentiality of user libraries.

The affected product is Kavita from Kareadita, with all releases before version 0.9.0 susceptible. The impacted endpoints include /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter.

The CVSS score of 5.9 indicates a medium impact when the IDOR is coupled with enumeration. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog, suggesting limited public exploitation to date. The likely attack vector involves sending crafted requests to the Kavita API endpoints; an attacker must have network or application access and be able to guess or brute‑force a valid content identifier. The vulnerability does not permit remote code execution or privilege escalation beyond accessing the content belonging to the guessed library.