Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
AnalysisAI
Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.
Technical ContextAI
Calibre-Web-Automated is a web-based library management system for ebooks built on Flask. The vulnerability stems from missing authentication decorators on Flask route handlers in cps/cwa_functions.py. Flask uses decorator-based authentication patterns where @login_required_if_no_ano and @admin_required decorators enforce access control before handler execution. The CWE-306 (Missing Authentication for Critical Function) classification confirms that critical admin operations including kill_convert_library(), schedule_convert_library(), show_convert_library_logs(), download_current_log(), start_conversion(), kill_epub_fixer(), schedule_epub_fixer(), show_epub_fixer_logs(), run_epub_fixer_for_book(), and cancel_epub_fixer() were exposed without these decorators. The PR#1308 demonstrates systematic addition of missing decorators across at least 12 vulnerable endpoints, indicating architectural oversight rather than isolated bugs. The affected product runs as a web service (cpe:2.3:a:crocodilestick:calibre-web-automated) on default network-accessible ports.
RemediationAI
The vendor has released a patch available via PR#1308 (https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308) which adds @login_required_if_no_ano and @admin_required decorators to all affected endpoints. Operators should upgrade to the patched version immediately once released and officially tagged. Until a release is available, the most effective temporary mitigation is to restrict network access to the Calibre-Web-Automated web service using a firewall, reverse proxy (nginx/Apache), or cloud security group to permit only trusted internal networks or IP ranges. If the application supports it, disable the Convert Library and EPUB Fixer features entirely via configuration until patched. Do NOT rely solely on application-level ACLs as unauthenticated endpoints bypass application logic. Note that network isolation mitigation requires ongoing manual enforcement and does not address the root vulnerability, so patching is essential.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26865