Calibre-Web CVE-2026-7709
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in Calibre-Web up to version 0.6.26 allows authenticated remote attackers to manipulate the user_id parameter in the generate_auth_token function (cps/kobo_auth.py) to access or disclose information belonging to other users. The CVSS score of 2.1 reflects the requirement for prior authentication and limited impact scope, though publicly available exploit code exists.
Technical ContextAI
The vulnerability resides in the Kobo authentication endpoint component of Calibre-Web, specifically in the generate_auth_token function within cps/kobo_auth.py. The root cause is improper authorization validation (CWE-266: Improper Privilege Management) when processing the user_id parameter. This suggests that the function fails to properly verify that an authenticated user has permission to generate tokens for other user accounts, allowing privilege escalation or lateral user account access. The Kobo authentication subsystem appears to be an integration layer for e-reader device authentication, making this endpoint accessible to any authenticated user of the system.
Affected ProductsAI
Calibre-Web janeczku version 0.6.26 and earlier. The vulnerability affects the Kobo authentication endpoint component (cps/kobo_auth.py). Users running Calibre-Web 0.6.26 or prior are in scope. The vendor's lack of response to disclosure suggests patches may not be available from the official maintainer; community-maintained forks or third-party distributions should be evaluated separately.
RemediationAI
Upgrade to a patched version of Calibre-Web if available; however, the vendor's non-response to disclosure raises concerns about patch availability from the official repository. As an interim compensating control, restrict access to the Calibre-Web instance to a closed set of trusted users only, reducing the attack surface to authenticated accounts you control. Additionally, disable or isolate the Kobo authentication endpoint (/api/auth/kobo or similar routes) if Kobo device integration is not required. Review authentication logs and generated auth tokens for unauthorized access. If upgrading is not immediately possible, implement network-level access controls to limit who can authenticate to the Calibre-Web instance. Users should also consider isolating Calibre-Web instances by user group or organization to minimize the blast radius of cross-user token generation. Contact the community-maintained fork or alternative maintained projects if available, as the original maintainer appears inactive.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today