Unauthenticated Access Vulnerability in Kavita Reading Server
CVE-2026-44775

6.9MEDIUM

Key Information:

Vendor: Kareadita
Status: Kavita
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44775?

The Kavita reading server prior to version 0.9.0 contains a significant vulnerability in the ReaderController.GetImage endpoint, which is marked with [AllowAnonymous], thereby permitting unrestricted access to page images from any chapter across all libraries without authentication. Although the endpoint accepts an apiKey parameter, it fails to validate it, allowing potential attackers to exploit the sequential nature of entity IDs. Consequently, they can easily enumerate all content stored on the server, leading to information disclosure risks. This issue has been addressed in the release of version 0.9.0.

Affected Version(s)

Kavita < 0.9.0

References

https://github.com/Kareadita/Kavita/security/advisories/G...

x_refsource_CONFIRM

https://github.com/Kareadita/Kavita/blob/8c686df2dbc2d0a8...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44775 Data

JSON