CVE-2026-42883

Published: May 11, 2026Modified: May 19, 2026Deferred

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining them to that library. An authenticated user with download permission and access to any one library can exfiltrate the full file contents of items belonging to any other library, including libraries they are explicitly denied access to. This vulnerability is fixed in 2.32.2.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-6rvg-w3f5-9gq5

Source: security-advisories@github.com

https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-6rvg-w3f5-9gq5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.