Kavita versions before 0.9.0.2 suffer from an improper token validation vulnerability (CWE-287) that permits remote unauthenticated actors to obtain JWTs for arbitrary users by supplying their usernames. This flaw compromises authentication mechanisms, potentially allowing attackers to impersonate users, including admins. The vulnerability has a CVSS 4.0 base score of 9.3 (critical), reflecting its network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. The issue is resolved in version 0.9.0.2.

An attacker who knows a valid username can obtain a JWT token without authentication, enabling unauthorized access to the Kavita server as that user, including administrative accounts. This can lead to full compromise of user accounts and associated data confidentiality and integrity loss. There are no known active exploits reported at this time.

Upgrade Kavita to version 0.9.0.2 or later, where the improper token validation vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the version and apply the update accordingly. Patch status is not explicitly confirmed beyond the version fix note; check the vendor's official channels for current remediation guidance.