Path Traversal Vulnerability in Audiobookshelf by AudiobookShelf
CVE-2026-42885

4.3MEDIUM

Key Information:

Vendor: Advplyr
Status: Audiobookshelf
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42885?

Audiobookshelf, a self-hosted audiobook and podcast server, has a vulnerability affecting versions prior to 2.32.2. Specifically, the POST /api/filesystem/pathexists endpoint utilizes String.startsWith() for path validation. This approach is flawed, allowing authenticated users with upload permissions to access files outside their designated library folder if those folders share a common prefix. Such a vulnerability permits users to enumerate file existence beyond authorized boundaries, posing a significant risk of unauthorized access to sensitive data. This issue has been addressed in version 2.32.2.

Affected Version(s)

audiobookshelf < 2.33.2

References

https://github.com/advplyr/audiobookshelf/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42885 Data

JSON

Advplyr

What is CVE-2026-42885?

Affected Version(s)

References

CVSS V3.1

Timeline