Description
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
Published: 2026-05-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kavita, a cross‑platform reading server, contains an improper token validation flaw. Prior to release 0.9.0.2, a remote actor who is unauthenticated can obtain a JSON Web Token for any user, including administrators, simply by supplying the target username. This enables the attacker to assume the victim’s identity and access all of the user’s data, thereby compromising confidentiality and integrity of the account.

Affected Systems

The vulnerability affects all versions of Kareadita’s Kavita service that precede version 0.9.0.2. No post‑0.9.0.2 releases are known to be impacted.

Risk and Exploitability

The CVSS base score of 9.3 reflects the high severity of this safety‑critical flaw. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by making unauthenticated HTTP requests to the token endpoint, for which the actor only needs the target username. As the flaw requires no additional privileges or local access, the exploitability of this vulnerability is high for remote attackers.

Generated by OpenCVE AI on May 26, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy Kavita version 0.9.0.2 or newer to eliminate the flaw
  • If an upgrade cannot be performed immediately, restrict access to the token acquisition endpoint through firewall rules or IP whitelisting
  • Monitor authentication logs for anomalous token requests to detect potential exploitation attempts

Generated by OpenCVE AI on May 26, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Kavita
Kavita kavita
Vendors & Products Kavita
Kavita kavita

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
Title Kavita: Pre-Auth Account Takeover
Weaknesses CWE-287
CWE-345
CWE-697
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Kavita Kavita
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:23:39.941Z

Reserved: 2026-05-18T22:07:37.436Z

Link: CVE-2026-47202

cve-icon Vulnrichment

Updated: 2026-05-27T17:23:36.844Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T18:16:52.540

Modified: 2026-05-26T19:19:05.597

Link: CVE-2026-47202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:15:29Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-697

    Incorrect Comparison