CVE-2026-7709: Improper Authorization in janeczku Calibre-Web
CVE-2026-7709 is a medium severity vulnerability in janeczku Calibre-Web up to version 0.6.26. It involves improper authorization due to manipulation of the user_id argument in the generate_auth_token function within cps/kobo_auth.py. The vulnerability can be exploited remotely without user interaction. Although an exploit is publicly available, there is no vendor response or official patch as of the publication date.
AI Analysis
Technical Summary
This vulnerability affects the generate_auth_token function in the cps/kobo_auth.py file of janeczku Calibre-Web versions up to 0.6.26. Improper authorization arises from the ability to manipulate the user_id argument, potentially allowing unauthorized access or actions. The attack vector is remote with no privileges or user interaction required. The CVSS 4.0 base score is 5.3, reflecting medium severity with network attack vector, low complexity, and no privileges required. The vendor was contacted but has not provided a fix or advisory, and no official remediation is currently available.
Potential Impact
Successful exploitation could allow an attacker to bypass authorization controls by manipulating the user_id parameter, potentially gaining unauthorized access or performing unauthorized actions within the affected Calibre-Web instance. The impact is limited to the scope of authorization bypass and does not indicate direct code execution or data corruption. No known exploits in the wild have been reported, but a public exploit exists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or advisory has been released by the vendor, users should monitor for updates from janeczku. Until a patch is available, consider restricting network access to the Calibre-Web service and applying compensating controls to limit exposure. Avoid exposing the service to untrusted networks where possible.
CVE-2026-7709: Improper Authorization in janeczku Calibre-Web
Description
CVE-2026-7709 is a medium severity vulnerability in janeczku Calibre-Web up to version 0.6.26. It involves improper authorization due to manipulation of the user_id argument in the generate_auth_token function within cps/kobo_auth.py. The vulnerability can be exploited remotely without user interaction. Although an exploit is publicly available, there is no vendor response or official patch as of the publication date.
CVSS v4.0
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the generate_auth_token function in the cps/kobo_auth.py file of janeczku Calibre-Web versions up to 0.6.26. Improper authorization arises from the ability to manipulate the user_id argument, potentially allowing unauthorized access or actions. The attack vector is remote with no privileges or user interaction required. The CVSS 4.0 base score is 5.3, reflecting medium severity with network attack vector, low complexity, and no privileges required. The vendor was contacted but has not provided a fix or advisory, and no official remediation is currently available.
Potential Impact
Successful exploitation could allow an attacker to bypass authorization controls by manipulating the user_id parameter, potentially gaining unauthorized access or performing unauthorized actions within the affected Calibre-Web instance. The impact is limited to the scope of authorization bypass and does not indicate direct code execution or data corruption. No known exploits in the wild have been reported, but a public exploit exists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or advisory has been released by the vendor, users should monitor for updates from janeczku. Until a patch is available, consider restricting network access to the Calibre-Web service and applying compensating controls to limit exposure. Avoid exposing the service to untrusted networks where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-03T07:35:23.631Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f7d893cbff5d861073b5d1
Added to database: 5/3/2026, 11:21:55 PM
Last enriched: 5/11/2026, 2:18:28 AM
Last updated: 6/17/2026, 8:00:33 PM
Views: 94
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.