Skip to main content

Kavita CVE-2026-47202

| EUVDEUVD-2026-31938 CRITICAL
Improper Authentication (CWE-287)
2026-05-26 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 08:22 vuln.today
Analysis Generated
Jun 08, 2026 - 08:22 vuln.today
Patch available
May 26, 2026 - 19:02 EUVD
CVSS changed
May 26, 2026 - 18:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.

AnalysisAI

Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.

Technical ContextAI

Kavita (cpe:2.3:a:kareadita:kavita) is an open-source cross-platform reading server for managing comics, manga, and ebook libraries, typically self-hosted and exposed via web UI with JWT-based session authentication. The root cause is CWE-287 (Improper Authentication): the JWT issuance endpoint does not properly validate the requester's identity before minting tokens, so it returns signed JWTs for arbitrary usernames. The release notes mention an OIDC validation change ('no longer requires super safe urls'), suggesting the defect lived in the OIDC/token-handling code path that intersects with username-to-token resolution.

RemediationAI

Vendor-released patch: upgrade to Kavita 0.9.0.2 or later, available at https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2; the maintainer explicitly states 'All users are strongly advised to update immediately.' Until the upgrade is applied, restrict network reachability of the Kavita web interface to a VPN, trusted LAN, or reverse proxy enforcing source-IP allowlisting - note this breaks remote reader access for legitimate users on the road. Renaming admin accounts to non-obvious usernames offers only marginal hardening because any user JWT can be minted, so a low-privilege account is also at risk; rotating JWT signing keys after upgrade is advisable to invalidate any tokens an attacker may have already harvested. Consult GHSA-m2v3-fcjh-hm22 for the full advisory.

Share

CVE-2026-47202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy