Kavita Library Authorization Bypass Vulnerability Allowing Unauthorized File Access

A vulnerability in Kavita reading server versions prior to 0.9.0 allows low-privileged users to bypass library-level authorization and access content from libraries they are not assigned to. The issue affects multiple download and metadata endpoints within the '/api/Download/' and '/api/Chapter' routes. Exploitation involves guessing or knowing specific chapter, volume, or series IDs to download files or access metadata from unauthorized libraries.

Impact

Exploitation of this vulnerability could lead to unauthorized access to library content, allowing users to download files from any library on the server, including those they are explicitly denied access to.

Reproduction

The vulnerability can be reproduced by an authenticated user with the Download role who is not assigned to a specific library. After logging in, the user can request file downloads or metadata for chapters, volumes, or series IDs belonging to the unauthorized library, successfully bypassing access controls.

Remediation

Users should update to Kavita version 0.9.0 or later, where this vulnerability has been fixed.