CVE-2026-44775

UNKNOWN 0.0

Kavita: No authentication at /api/Reader/image

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

21th

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.

CWE	CWE-306
Vendor	kareadita
Product	kavita
Published	May 26, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for kareadita kavita

Be the first to know when new unknown vulnerabilities affecting kareadita kavita are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Kareadita / Kavita

< 0.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Kareadita/Kavita/security/advisories/GHSA-6gc9-6r8p-5wg2 github.com: https://github.com/Kareadita/Kavita/blob/8c686df2dbc2d0a83120e8b3f8c1269107bb815d/API/Controllers/ReaderController.cs#L116