CVE-2026-27824 is a medium severity vulnerability in the calibre Content Server, a cross-platform e-book management system. The flaw stems from the server’s brute-force protection mechanism, which uses a ban key based on the client’s IP address and the X-Forwarded-For HTTP header to block repeated failed authentication attempts. However, the X-Forwarded-For header is accepted directly from incoming HTTP requests without validation or configuration to trust only known proxy sources. This allows an attacker to spoof or modify the X-Forwarded-For header arbitrarily, effectively circumventing IP-based bans by making the server believe requests originate from different IP addresses. Consequently, the brute-force protection becomes ineffective, exposing the server to credential stuffing and password guessing attacks. Since calibre servers are often deployed for remote access to e-book libraries, those exposed to the internet are particularly at risk. The vulnerability affects all versions prior to 9.4.0, where the issue has been addressed by properly validating or restricting the X-Forwarded-For header usage. The CVSS 3.1 score of 5.3 reflects the network attack vector, no required privileges or user interaction, and limited confidentiality impact, as successful exploitation could allow attackers to guess passwords but not directly compromise data integrity or availability. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the increased risk of successful brute-force attacks against calibre Content Servers exposed to the internet. Attackers can bypass IP-based rate limiting and bans, enabling them to perform credential stuffing or password guessing attacks at scale. This can lead to unauthorized access to user accounts and potentially sensitive e-book collections or metadata. While the vulnerability does not directly compromise data integrity or availability, unauthorized access can lead to privacy violations and potential further exploitation depending on the environment in which calibre is deployed. Organizations relying on calibre servers for remote e-book access, especially those with weak or reused passwords, face heightened risk. The impact is magnified in scenarios where the server is publicly accessible without additional network-level protections. Overall, this vulnerability undermines a critical security control designed to prevent automated attacks, increasing the likelihood of account compromise and data exposure.

The primary mitigation is to upgrade calibre Content Server to version 9.4.0 or later, where the vulnerability is fixed by proper validation or trusted-proxy configuration of the X-Forwarded-For header. For organizations unable to upgrade immediately, network-level mitigations should be implemented, such as restricting access to the calibre server via VPN or firewall rules to trusted IP ranges. Additionally, administrators should disable or limit the use of the X-Forwarded-For header if possible or configure the server to trust only known proxy IPs. Implementing multi-factor authentication (MFA) for user accounts can significantly reduce the risk of unauthorized access even if brute-force attempts succeed. Monitoring authentication logs for unusual failed login patterns and employing external rate-limiting or web application firewalls (WAFs) can provide additional layers of defense. Finally, educating users to use strong, unique passwords reduces the effectiveness of credential stuffing attacks.