CVE-2026-7713 - Vulnerability Details

- crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization

Description

A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.

Published: 2026-05-04

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Kobo authentication token generator allows an attacker to create valid tokens without proper authorization, enabling unauthorized access to protected resources. The vulnerability is triggered through the generate_auth_token function in cps/kobo_auth.py and can be exploited remotely. The impact is the ability to impersonate a legitimate user or service. The weakness relates to improper privilege or authority checks.

Affected Systems

Crocodilestick’s Calibre-Web-Automated application up to version 4.0.6 is vulnerable. The issue is confined to the Kobo auth-token Route component. An upgrade to version 4.0.7, identified by commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807, removes the flaw.

Risk and Exploitability

The vulnerability scores a CVSS vector of 5.3, indicating moderate severity, and no EPSS information is available. It is not listed in CISA’s KEV catalog. Because the exploit is publicly available and can be performed over the network, the risk of exploitation is non‑negligible for exposed installations. Proper authorization checks are unintentionally bypassed, making the weakness most relevant for attackers who can reach the target system. Monitoring for unauthorized token creation or attempts remains prudent until an administrative patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

crocodilestick

Calibre-Web-Automated

affected

Version	Status	Constraints
`4.0.0`	affected	—
`4.0.1`	affected	—
`4.0.2`	affected	—
`4.0.3`	affected	—
`4.0.4`	affected	—
`4.0.5`	affected	—
`4.0.6`	affected	—
`4.0.7`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Calibre-Web-Automated v4.0.7, the latest released patch that removes the flaw.
Disable or restrict the Kobo auth-token functionality if not required for your workflow to reduce exposure.
Implement network boundary controls, such as firewall rules or access lists, to limit remote reachability to the Calibre-Web server until the update is installed.

Generated by OpenCVE AI on May 4, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440
https://github.com/crocodilestick/Calibre-Web-Automated/
https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303
https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807
https://github.com/new-usemame/Calibre-Web-NextGen/pull/18
https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7
https://vuldb.com/submit/806403
https://vuldb.com/vuln/360889
https://vuldb.com/vuln/360889/cti

History

Mon, 04 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.
Title		crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization
Weaknesses		CWE-266 CWE-285
References		https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440 https://github.com/crocodilestick/Calibre-Web-Automated/ https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303 https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807 https://github.com/new-usemame/Calibre-Web-NextGen/pull/18 https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7 https://vuldb.com/submit/806403 https://vuldb.com/vuln/360889 https://vuldb.com/vuln/360889/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-04T00:00:32.992Z

Updated: 2026-05-04T00:00:32.992Z

Reserved: 2026-05-03T07:59:45.943Z

Link: CVE-2026-7713

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-04T00:16:40.167

Modified: 2026-05-04T00:16:40.167

Link: CVE-2026-7713

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T01:30:33Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object