Brute-Force Protection Flaw in Calibre E-Book Manager by Kovid Goyal
CVE-2026-27824

5.3MEDIUM

Key Information:

Vendor: Kovidgoyal
Status: Calibre
Vendor: CVE Published:; 27 February 2026

What is CVE-2026-27824?

The Calibre e-book manager, prior to version 9.4.0, contains a vulnerability in its Content Server's brute-force protection mechanism. The security feature relies on a ban key generated from both the remote_addr and X-Forwarded-For header without proper validation or trusted-proxy configuration. This oversight allows attackers to manipulate the X-Forwarded-For header to evade IP bans, which compromises the effectiveness of brute-force protection. This vulnerability poses a significant risk for Calibre servers exposed to the internet, where robust protection against credential stuffing and password guessing attacks is crucial. Version 9.4.0 addresses this issue, enhancing the security posture of the application.

Affected Version(s)

calibre < 9.4.0

References

https://github.com/kovidgoyal/calibre/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27824 Data

JSON

Kovidgoyal

What is CVE-2026-27824?

Affected Version(s)

References

CVSS V3.1

Timeline