Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
AnalysisAI
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Technical ContextAI
Kavita (cpe:2.3:a:kareadita:kavita) is an open-source cross-platform reading server for managing comics, manga, and ebook libraries, typically self-hosted and exposed via web UI with JWT-based session authentication. The root cause is CWE-287 (Improper Authentication): the JWT issuance endpoint does not properly validate the requester's identity before minting tokens, so it returns signed JWTs for arbitrary usernames. The release notes mention an OIDC validation change ('no longer requires super safe urls'), suggesting the defect lived in the OIDC/token-handling code path that intersects with username-to-token resolution.
RemediationAI
Vendor-released patch: upgrade to Kavita 0.9.0.2 or later, available at https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2; the maintainer explicitly states 'All users are strongly advised to update immediately.' Until the upgrade is applied, restrict network reachability of the Kavita web interface to a VPN, trusted LAN, or reverse proxy enforcing source-IP allowlisting - note this breaks remote reader access for legitimate users on the road. Renaming admin accounts to non-obvious usernames offers only marginal hardening because any user JWT can be minted, so a low-privilege account is also at risk; rotating JWT signing keys after upgrade is advisable to invalidate any tokens an attacker may have already harvested. Consult GHSA-m2v3-fcjh-hm22 for the full advisory.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (C
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image acro
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31938