Skip to main content

Calibre-Web CVE-2026-7709

LOW
Incorrect Privilege Assignment (CWE-266)
2026-05-03 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 03, 2026 - 23:30 vuln.today
Analysis Generated
May 03, 2026 - 23:22 vuln.today
CVE Published
May 03, 2026 - 23:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authorization in Calibre-Web up to version 0.6.26 allows authenticated remote attackers to manipulate the user_id parameter in the generate_auth_token function (cps/kobo_auth.py) to access or disclose information belonging to other users. The CVSS score of 2.1 reflects the requirement for prior authentication and limited impact scope, though publicly available exploit code exists.

Technical ContextAI

The vulnerability resides in the Kobo authentication endpoint component of Calibre-Web, specifically in the generate_auth_token function within cps/kobo_auth.py. The root cause is improper authorization validation (CWE-266: Improper Privilege Management) when processing the user_id parameter. This suggests that the function fails to properly verify that an authenticated user has permission to generate tokens for other user accounts, allowing privilege escalation or lateral user account access. The Kobo authentication subsystem appears to be an integration layer for e-reader device authentication, making this endpoint accessible to any authenticated user of the system.

Affected ProductsAI

Calibre-Web janeczku version 0.6.26 and earlier. The vulnerability affects the Kobo authentication endpoint component (cps/kobo_auth.py). Users running Calibre-Web 0.6.26 or prior are in scope. The vendor's lack of response to disclosure suggests patches may not be available from the official maintainer; community-maintained forks or third-party distributions should be evaluated separately.

RemediationAI

Upgrade to a patched version of Calibre-Web if available; however, the vendor's non-response to disclosure raises concerns about patch availability from the official repository. As an interim compensating control, restrict access to the Calibre-Web instance to a closed set of trusted users only, reducing the attack surface to authenticated accounts you control. Additionally, disable or isolate the Kobo authentication endpoint (/api/auth/kobo or similar routes) if Kobo device integration is not required. Review authentication logs and generated auth tokens for unauthorized access. If upgrading is not immediately possible, implement network-level access controls to limit who can authenticate to the Calibre-Web instance. Users should also consider isolating Calibre-Web instances by user group or organization to minimize the blast radius of cross-user token generation. Contact the community-maintained fork or alternative maintained projects if available, as the original maintainer appears inactive.

Share

CVE-2026-7709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy