CVE-2026-47202
Received Received - Intake
BaseFortify

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-47202
EUVD
EUVD-2026-31938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kareadita kavita to 0.9.0|end_including=0.9.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-47202 is a critical vulnerability in the Kavita reading server versions 0.9.0 and earlier. It involves an Improper Token Validation flaw that allows a remote, unauthenticated attacker to request a JSON Web Token (JWT) for any user, including administrators, if the attacker knows the username.

This means the attacker can completely take over any account without needing to authenticate or interact with the user.

The vulnerability is network-based, has low complexity to exploit, and results in high confidentiality and integrity loss.


How can this vulnerability impact me? :

This vulnerability allows an attacker to gain unauthorized access to any user account, including administrator accounts, on the Kavita server.

Such unauthorized access can lead to a complete account takeover, exposing sensitive data and potentially allowing the attacker to manipulate or steal information.

The impact includes a significant loss of confidentiality and integrity of data, although availability is not affected.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the Kavita application to version 0.9.0.2 or later, as this version contains the security hotfix addressing CVE-2026-47202.

Users running versions 0.9.0 and earlier are strongly advised to upgrade immediately to prevent unauthorized access and potential account takeover.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart