Description
A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a missing authentication check in the admin endpoint implementation within the cps/cwa_functions.py module of Calibre-Web-Automated. The flaw allows an attacker to invoke privileged functionality without credentials, effectively bypassing authentication. As a result, an adversary can gain unauthorized access to the administrative interface and potentially manipulate configuration, data, or execute arbitrary actions on the host.

Affected Systems

The affected product is Calibre-Web-Automated by crocodilestick, versions up to and including 4.0.6. No other versions or components are listed as vulnerable in the current advisory.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate impact. No EPSS score is available, but the advisory notes that the exploit has been published and can be triggered remotely, suggesting that adversaries with internet exposure to the service could leverage this flaw. The vulnerability is not currently listed in CISA’s KEV catalog, implying no confirmed large‑scale exploitations documented. Attackers would target the exposed admin endpoint over HTTP/HTTPS, following standard web exploitation procedures. The lack of authentication is the key vector.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of Calibre-Web-Automated that resolves the admin‑endpoint authentication issue (any version greater than 4.0.6).
  • Restrict access to the admin endpoint by configuring network controls, firewall rules, or a reverse proxy that requires additional authentication.
  • Conduct a security review and audit the administrative functionality and logs before and after remediation to detect any unauthorized activity.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T00:15:11.837Z

Reserved: 2026-05-03T07:59:49.252Z

Link: CVE-2026-7714

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:04.863

Modified: 2026-05-04T01:16:04.863

Link: CVE-2026-7714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses