Skip to main content

Calibre-Web-Automated CVE-2026-7714

| EUVDEUVD-2026-26865 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-04 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Source Code Evidence Fetched
May 04, 2026 - 01:45 vuln.today
Analysis Generated
May 04, 2026 - 01:45 vuln.today
CVSS changed
May 04, 2026 - 01:22 NVD
6.5 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
May 04, 2026 - 01:16 vuln.today
Public exploit code
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26865
Analysis Generated
May 04, 2026 - 01:15 vuln.today
Patch released
May 04, 2026 - 01:15 nvd
Patch available
CVE Published
May 04, 2026 - 00:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.

Technical ContextAI

Calibre-Web-Automated is a web-based library management system for ebooks built on Flask. The vulnerability stems from missing authentication decorators on Flask route handlers in cps/cwa_functions.py. Flask uses decorator-based authentication patterns where @login_required_if_no_ano and @admin_required decorators enforce access control before handler execution. The CWE-306 (Missing Authentication for Critical Function) classification confirms that critical admin operations including kill_convert_library(), schedule_convert_library(), show_convert_library_logs(), download_current_log(), start_conversion(), kill_epub_fixer(), schedule_epub_fixer(), show_epub_fixer_logs(), run_epub_fixer_for_book(), and cancel_epub_fixer() were exposed without these decorators. The PR#1308 demonstrates systematic addition of missing decorators across at least 12 vulnerable endpoints, indicating architectural oversight rather than isolated bugs. The affected product runs as a web service (cpe:2.3:a:crocodilestick:calibre-web-automated) on default network-accessible ports.

RemediationAI

The vendor has released a patch available via PR#1308 (https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308) which adds @login_required_if_no_ano and @admin_required decorators to all affected endpoints. Operators should upgrade to the patched version immediately once released and officially tagged. Until a release is available, the most effective temporary mitigation is to restrict network access to the Calibre-Web-Automated web service using a firewall, reverse proxy (nginx/Apache), or cloud security group to permit only trusted internal networks or IP ranges. If the application supports it, disable the Convert Library and EPUB Fixer features entirely via configuration until patched. Do NOT rely solely on application-level ACLs as unauthenticated endpoints bypass application logic. Note that network isolation mitigation requires ongoing manual enforcement and does not address the root vulnerability, so patching is essential.

Share

CVE-2026-7714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy