Executive Summary

CVE-2026-7713 is an Insecure Direct Object Reference (IDOR) vulnerability in the Kobo authentication system of Calibre-Web-Automated and Calibre-Web-NextGen. It affects the generate_auth_token function in the cps/kobo_auth.py file, specifically the /kobo_auth/generate_auth_token/<user_id> endpoint.

The vulnerability arises because the endpoint only requires the user to be authenticated but does not verify if the requesting user is authorized to generate or retrieve an authentication token for the specified user_id. This means any authenticated user can generate or obtain Kobo authentication tokens for other users by supplying their user IDs.

Since user IDs are predictable and sequential, an attacker can enumerate user IDs and impersonate other users by using their tokens to access the Kobo API, enabling unauthorized access to syncing and downloading books.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access and impersonation of other users within the Calibre-Web environment, specifically through the Kobo sync feature.

• An attacker who is any authenticated user can generate or retrieve authentication tokens for other users, allowing them to impersonate those users.
• Impersonation enables the attacker to access sensitive user data such as synced books and potentially perform actions on behalf of the victim user.
• The vulnerability also allows an attacker to revoke other users' authentication tokens, causing a soft denial-of-service by preventing victims from syncing their Kobo devices.

Overall, this can compromise user privacy, disrupt normal user operations, and lead to unauthorized data access or manipulation.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves an Insecure Direct Object Reference (IDOR) in the Kobo authentication token endpoints of Calibre-Web-Automated and Calibre-Web-NextGen. Detection can focus on monitoring requests to the `/kobo_auth/generate_auth_token/<user_id>` endpoint to see if tokens are being generated for user IDs other than the authenticated user.

Since the exploit requires authenticated access, you can audit logs for unusual or unauthorized token generation requests where the `user_id` in the URL does not match the authenticated user's ID.

Suggested commands to detect exploitation attempts include using web server access logs or network traffic inspection tools to filter requests to the vulnerable endpoint. For example, using grep on access logs:

• grep "/kobo_auth/generate_auth_token/" /var/log/nginx/access.log | awk '{print $1, $7, $9}'
• Look for requests where the user ID in the URL differs from the authenticated user or where multiple user IDs are targeted in a short time frame.

Additionally, monitoring application logs for token generation or deletion events and correlating them with user sessions can help detect unauthorized activity.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the affected component to version 4.0.7 or later, where the vulnerability has been fixed.

The fix adds authorization checks to ensure that only the user themselves or an administrator can generate or delete Kobo authentication tokens for a given user ID, preventing unauthorized access.

If upgrading immediately is not possible, consider restricting access to the vulnerable endpoints by limiting authenticated user permissions or applying network-level controls to prevent unauthorized token generation.

Review and monitor user activity related to Kobo authentication tokens to detect and respond to any suspicious behavior.

Additionally, be aware of a secondary shell injection vulnerability in `scripts/cover_enforcer.py` that was also fixed in the same release; upgrading addresses this as well.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to generate or retrieve Kobo authentication tokens for other users without proper authorization, enabling impersonation and unauthorized access to user data.

Such unauthorized access and impersonation could lead to exposure or misuse of personal data, which may violate data protection regulations like GDPR that require strict access controls and user data confidentiality.

Similarly, for regulations like HIPAA, which mandate protection of sensitive health information, improper authorization and potential data exposure could result in non-compliance.

Therefore, this vulnerability undermines the security controls necessary to comply with common standards and regulations that emphasize user data protection and access control.

Useful 0 Not Useful 0