CVE-2026-7709
Authentication Bypass in Calibre-Web via Kobo Auth Token
Publication date: 2026-05-03
Last updated on: 2026-05-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| janeczku | calibre-web | to 0.6.26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability allows an attacker to manipulate authorization remotely, potentially gaining unauthorized access to resources or actions within the affected system. This could lead to unauthorized information disclosure, modification, or other impacts depending on the privileges gained.
Can you explain this vulnerability to me?
This vulnerability exists in janeczku Calibre-Web up to version 0.6.26, specifically in the function generate_auth_token within the cps/kobo_auth.py file. It involves improper authorization caused by manipulation of the user_id argument. An attacker can exploit this remotely to bypass authorization controls.