Skip to main content

Calibre-Web-Automated CVE-2026-7713

| EUVDEUVD-2026-26854 LOW
Incorrect Privilege Assignment (CWE-266)
2026-05-04 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 04, 2026 - 00:30 vuln.today
Analysis Generated
May 04, 2026 - 00:30 vuln.today
EUVD ID Assigned
May 04, 2026 - 00:22 euvd
EUVD-2026-26854
Analysis Generated
May 04, 2026 - 00:22 vuln.today
CVE Published
May 04, 2026 - 00:16 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.

AnalysisAI

Improper authorization in Calibre-Web-Automated versions up to 4.0.6 allows authenticated remote attackers to generate or revoke Kobo authentication tokens for arbitrary users via an Insecure Direct Object Reference (IDOR) vulnerability in the kobo_auth.py component. An attacker with valid login credentials can request /kobo_auth/generate_auth_token/<victim_user_id> to obtain tokens authorizing Kobo sync as any other user, or revoke their tokens to deny service. Publicly available exploit code exists and the vulnerability is confirmed patched in version 4.0.7.

Technical ContextAI

The vulnerability is rooted in CWE-266 (Improper Privilege Management) combined with an Insecure Direct Object Reference pattern. The Kobo authentication route in cps/kobo_auth.py implements a function generate_auth_token that accepts a user_id parameter from the URL path, but prior to version 4.0.7 failed to validate whether the authenticated requester (current_user.id) matches the target user_id or holds admin privileges. The CVSS vector shows AV:N (network-accessible) AC:L (low complexity) and PR:L (requires low-privilege authenticated user), indicating the OAuth-like token generation mechanism is reachable by any authenticated user without additional barriers. The patch (commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807) adds explicit authorization checks: if current_user.id != user_id and not current_user.role_admin(): abort(403), enforcing that only the target user or administrators can mint/revoke tokens.

RemediationAI

Upgrade Calibre-Web-Automated to version 4.0.7 or later. The patched version can be obtained from https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7. If immediate upgrade is not possible, the authorization check from commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807 can be manually backported to cps/kobo_auth.py; the patch adds a guard clause requiring current_user.id == user_id or current_user.role_admin() before token generation or revocation. As a temporary compensating control, disable the Kobo sync feature entirely in the application settings if the library does not require Kobo device synchronization, reducing the attack surface to zero. Alternatively, restrict network access to the Kobo authentication route (typically /kobo_auth/*) to known Kobo client IP ranges or require additional authentication headers, though this may interfere with legitimate Kobo device sync. Audit existing Kobo tokens by reviewing the application's token store and invalidate any tokens created between the vulnerability introduction date and patching, to revoke attacker-obtained credentials.

Share

CVE-2026-7713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy