5.3 CVE-2026-27824
Enriched by CISA Brute Force
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
https://nvd.nist.gov/vuln/detail/CVE-2026-27824
Categories
CWE-307 : Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing Product does not disconnect or timeout after multiple failed logins. Product does not disconnect or timeout after multiple failed logins. Product does not disconnect or timeout after multiple failed logins. Product does not disconnect or timeout after multiple failed logins. Product does not disconnect or timeout after multiple failed logins. User accounts not disabled when they exceed a threshold; possibly a resultant problem.
References
security-advisories@github.com
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| kovidgoyal |
calibre |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 16 |
Dictionary-based Password Attack
[Determine application's/system's password policy] Determine the password policies of the target application/system. [Select dictionaries] Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.) [Determine username(s) to target] Determine username(s) whose passwords to crack. [Use dictionary to crack passwords.] Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work. |
High |
| 49 |
Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. [Determine application's/system's password policy] Determine the password policies of the target application/system. [Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access. |
High |
| 560 |
Use of Known Domain Credentials
[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each credential until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application. |
High |
| 565 |
Password Spraying
[Determine target's password policy] Determine the password policies of the target system/application. [Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.) [Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access. |
High |
| 600 |
Credential Stuffing
[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each username/password combination until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application. |
High |
| 652 |
Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. [Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain. [Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications. |
High |
| 653 |
Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. [Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain. [Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network [Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration. |
High |
MITRE
Techniques
| id |
description |
| T1078 |
Valid Accounts |
| T1110.001 |
Brute Force:Password Guessing |
| T1110.003 |
Brute Force:Password Spraying |
| T1110.004 |
Brute Force:Credential Stuffing |
| T1558 |
Steal or Forge Kerberos Tickets |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1017 |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| M1051 |
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
| M1027 |
Refer to NIST guidelines when creating password policies. |
| M1018 |
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts. |
| M1026 |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
