Description
A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Kobo authentication token generator allows an attacker to create valid tokens without proper authorization, enabling unauthorized access to protected resources. The vulnerability is triggered through the generate_auth_token function in cps/kobo_auth.py and can be exploited remotely. The impact is the ability to impersonate a legitimate user or service. The weakness relates to improper privilege or authority checks.

Affected Systems

Crocodilestick’s Calibre-Web-Automated application up to version 4.0.6 is vulnerable. The issue is confined to the Kobo auth-token Route component. An upgrade to version 4.0.7, identified by commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807, removes the flaw.

Risk and Exploitability

The vulnerability scores a CVSS vector of 5.3, indicating moderate severity, and no EPSS information is available. It is not listed in CISA’s KEV catalog. Because the exploit is publicly available and can be performed over the network, the risk of exploitation is non‑negligible for exposed installations. Proper authorization checks are unintentionally bypassed, making the weakness most relevant for attackers who can reach the target system. Monitoring for unauthorized token creation or attempts remains prudent until an administrative patch is applied.

Generated by OpenCVE AI on May 4, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Calibre-Web-Automated v4.0.7, the latest released patch that removes the flaw.
  • Disable or restrict the Kobo auth-token functionality if not required for your workflow to reduce exposure.
  • Implement network boundary controls, such as firewall rules or access lists, to limit remote reachability to the Calibre-Web server until the update is installed.

Generated by OpenCVE AI on May 4, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Crocodilestick
Crocodilestick calibre-web-automated
Vendors & Products Crocodilestick
Crocodilestick calibre-web-automated

Mon, 04 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded.
Title crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Crocodilestick Calibre-web-automated
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T19:00:28.901Z

Reserved: 2026-05-03T07:59:45.943Z

Link: CVE-2026-7713

cve-icon Vulnrichment

Updated: 2026-05-05T19:00:20.287Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T00:16:40.167

Modified: 2026-05-05T19:11:29.130

Link: CVE-2026-7713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:20Z

Weaknesses