CVE-2026-42884 MEDIUM

CVE-2026-42884: Audiobookshelf: Collection endpoints bypass library access controls exposing restricted library data

Vendor Advplyr
Product audiobookshelf
Weakness CWE-863 · Incorrect authorization
Published May 11, 2026
Last update May 12, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with access to any library can enumerate and read collections (including full book metadata) from libraries they are explicitly restricted from accessing. This vulnerability is fixed in 2.32.2.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-15246 Local File Inclusion by unauthenticated users CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions CVE-2026-24742 Discourse staff action logs expose sensitive information to moderators CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group CVE-2025-26526 Feedback response viewing and deletions did not respect Separate Groups mode