2443417 – (CVE-2026-27824) CVE-2026-27824 calibre: Calibre: Brute-force protection bypass via X-Forwarded-For header manipulation

Bug 2443417 (CVE-2026-27824) - CVE-2026-27824 calibre: Calibre: Brute-force protection bypass via X-Forwarded-For header manipulation

Summary: CVE-2026-27824 calibre: Calibre: Brute-force protection bypass via X-Forwarde...

Keywords:
Status:	NEW
Alias:	CVE-2026-27824
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2443782
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-27 20:01 UTC by OSIDB Bzimport
Modified:	2026-03-02 11:22 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-27 20:01:55 UTC

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

Note You need to log in before you can comment on or make changes to this bug.