CVE-2026-47202
Deferred Deferred - Pending Action
Improper Token Validation in Kavita Prior to 0.9.0.2

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-47202
EUVD
EUVD-2026-31938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kareadita kavita to 0.9.0|end_including=0.9.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47202 is a critical vulnerability in the Kavita reading server versions 0.9.0 and earlier. It involves an Improper Token Validation flaw that allows a remote, unauthenticated attacker to request a JSON Web Token (JWT) for any user, including administrators, if the attacker knows the username.

This means the attacker can completely take over any account without needing to authenticate or interact with the user.

The vulnerability is network-based, has low complexity to exploit, and results in high confidentiality and integrity loss.

Impact Analysis

This vulnerability allows an attacker to gain unauthorized access to any user account, including administrator accounts, on the Kavita server.

Such unauthorized access can lead to a complete account takeover, exposing sensitive data and potentially allowing the attacker to manipulate or steal information.

The impact includes a significant loss of confidentiality and integrity of data, although availability is not affected.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Kavita application to version 0.9.0.2 or later, as this version contains the security hotfix addressing CVE-2026-47202.

Users running versions 0.9.0 and earlier are strongly advised to upgrade immediately to prevent unauthorized access and potential account takeover.

Compliance Impact

The vulnerability allows a remote, unauthenticated attacker to take over any user account, including administrators, by requesting a JWT if the username is known. This leads to a complete account takeover without authentication, resulting in high confidentiality and integrity loss.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart