CVE-2026-27824 Overview
Calibre is a cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. The Calibre Content Server includes brute-force protection that bans abusive clients based on IP address. Prior to version 9.4.0, this protection derives its ban key from both remote_addr and the X-Forwarded-For header. The server reads X-Forwarded-For directly from the HTTP request without validation or trusted-proxy configuration. An attacker can rotate or append values to this header to bypass IP-based bans and continue credential stuffing or password guessing attempts. Version 9.4.0 contains a fix for the issue, tracked under CWE-307.
Critical Impact
Brute-force protection on internet-exposed Calibre Content Servers can be bypassed by manipulating a single HTTP header, neutralizing the primary defense against credential attacks.
Affected Products
- Calibre Content Server versions prior to 9.4.0
- Calibre-ebook Calibre (all platforms running the Content Server component)
- Internet-exposed Calibre deployments relying on built-in brute-force protection
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-27824 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-27824
Vulnerability Analysis
The Calibre Content Server enforces brute-force protection by tracking failed authentication attempts and banning clients that exceed a threshold. The ban tracking key combines the TCP-level remote_addr with the value of the X-Forwarded-For HTTP header. This composite key design assumes the header carries trustworthy upstream proxy information.
The server applies no validation, parsing rules, or trusted-proxy allowlist to X-Forwarded-For. Any client can set this header to an arbitrary value on each request. Because the ban key changes whenever the header changes, an attacker rotates the header value to generate a new tracking identity per request.
The result is unlimited authentication attempts against the Content Server. Attackers can conduct credential stuffing using leaked password databases or perform password guessing against known user accounts. The flaw maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.
Root Cause
The root cause is reliance on a client-controlled HTTP header as part of an identity primitive. Trusted-proxy patterns require the server to know which upstream addresses are allowed to set X-Forwarded-For and to ignore the header otherwise. Calibre's implementation incorporated the raw header value without that gating.
Attack Vector
An unauthenticated remote attacker sends repeated login requests to the Content Server. Each request includes a different X-Forwarded-For value such as a randomized IPv4 string. The brute-force protection treats every request as originating from a new client and never triggers a ban, allowing high-volume credential testing over the network. Refer to the Calibre GitHub Security Advisory GHSA-vhxc-r7v8-2xrw for further technical context.
Detection Methods for CVE-2026-27824
Indicators of Compromise
- High volume of failed authentication attempts to the Calibre Content Server login endpoint within a short time window.
- Requests to the Content Server containing varied or sequentially incrementing X-Forwarded-For header values from the same source IP.
- X-Forwarded-For values that do not match known upstream proxy or load balancer addresses in your environment.
Detection Strategies
- Inspect Calibre Content Server access logs for repeated POST requests to authentication routes from a single remote_addr with rotating X-Forwarded-For headers.
- Correlate failed login response codes with header diversity per source IP to surface evasion attempts.
- Alert on Calibre versions below 9.4.0 discovered through asset inventory or HTTP banner inspection.
Monitoring Recommendations
- Forward Calibre Content Server logs to a centralized logging or SIEM platform and create rules that count failed logins per remote_addr regardless of X-Forwarded-For.
- Monitor for outbound credential validation patterns and account lockouts on accounts that authenticate via Calibre.
- Track unique X-Forwarded-For values per session and flag sources exceeding a defined cardinality threshold.
How to Mitigate CVE-2026-27824
Immediate Actions Required
- Upgrade Calibre to version 9.4.0 or later on all systems running the Content Server.
- Restrict Content Server exposure to trusted networks or place it behind an authenticating reverse proxy.
- Rotate credentials for any Content Server accounts that may have been targeted by brute-force activity.
Patch Information
The maintainers fixed the issue in Calibre 9.4.0. Details are published in the Calibre GitHub Security Advisory GHSA-vhxc-r7v8-2xrw. Administrators should validate the running version after upgrade and confirm the Content Server restarts cleanly.
Workarounds
- Place the Calibre Content Server behind a reverse proxy such as nginx or Caddy that strips or overwrites the X-Forwarded-For header before forwarding requests.
- Enforce rate limiting and IP-based bans at the proxy or web application firewall layer rather than relying on Calibre's built-in protection.
- Require strong, unique passwords and enable multi-factor authentication at the network or proxy layer for any internet-exposed deployment.
# Example nginx configuration to strip client-supplied X-Forwarded-For
# before proxying to Calibre Content Server
server {
listen 443 ssl;
server_name calibre.example.com;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8080;
limit_req zone=login_zone burst=5 nodelay;
}
}
limit_req_zone $binary_remote_addr zone=login_zone:10m rate=5r/m;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
