CVE-2026-42883 MEDIUM

CVE-2026-42883: Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint

Vendor Advplyr

Product audiobookshelf

Weakness CWE-863 · Incorrect authorization

Published May 11, 2026

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining them to that library. An authenticated user with download permission and access to any one library can exfiltrate the full file contents of items belonging to any other library, including libraries they are explicitly denied access to. This vulnerability is fixed in 2.32.2.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-42883

Related vulnerabilities

CVE-2026-42883: Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint

01Description

02Disclosure timeline

03References

04Related CVE