Auth bypass in Kareadita Kavita

CVE-2026-44775

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endp…

Vulnerability class: Broken Authentication

EPSS: 0.001 (25.1th percentile) — read the EPSS interpretation.

Affected products

Kareadita Kavita — versions < 0.9.0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)