Description
A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the generate_auth_token function within Calibre-Web's kobo_auth.py endpoint, where manipulating the user_id argument allows attackers to create a valid authentication token for any user. This flaw bypasses normal access controls and grants unauthorized access to the Calibre-Web service, potentially exposing all stored e‑books, metadata, and user data. The exploit is publicly available and can be triggered remotely by sending crafted requests to the vulnerable endpoint.

Affected Systems

janeczku Calibre-Web versions up to 0.6.26 are affected. Any deployment running these releases without an update is at risk.

Risk and Exploitability

With a CVSS score of 5.3 the issue delivers moderate severity. No EPSS score is published, and the vulnerability is not listed in CISA KEV, but public exploits exist, indicating that attackers may already be leveraging it. The attack vector is remote via HTTP requests to the kobo_auth.py endpoint, and success requires no special privileges. Given the lack of an available patch from the vendor, the risk remains present until a fix is released or mitigations are applied.

Generated by OpenCVE AI on May 4, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Calibre‑Web to the latest release that addresses the generate_auth_token flaw (currently any version newer than 0.6.26).
  • Configure network or application‑level controls to restrict the kobo_auth.py endpoint to trusted networks or require additional authentication so that only authorized users can invoke it.
  • Implement input validation or a whitelist check to ensure the user_id supplied to generate_auth_token matches the authenticated session’s user, thereby enforcing proper authorization.

Generated by OpenCVE AI on May 4, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization
First Time appeared Janeczku
Janeczku calibre-web
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*
Vendors & Products Janeczku
Janeczku calibre-web
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janeczku Calibre-web
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T23:00:16.240Z

Reserved: 2026-05-03T07:35:23.631Z

Link: CVE-2026-7709

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T23:16:42.383

Modified: 2026-05-03T23:16:42.383

Link: CVE-2026-7709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T00:30:32Z

Weaknesses