Auth bypass in Kareadita Kavita

CVE-2026-44776

Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId b…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (14.8th percentile) — read the EPSS interpretation.