CVE-2026-7709 MEDIUM

CVE-2026-7709: janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization

Vendor Janeczku
Product Calibre-Web
Weakness CWE-285
Published May 3, 2026
Last update May 4, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 3, 2026 CVE published
May 4, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2018-0459 Cisco Enterprise NFV Infrastructure Software Denial of Service Vulnerability CVE-2026-7631 code-projects Online Hospital Management System Registration improper authorization CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update CVE-2025-8791 LitmusChaos Litmus list_projects improper authorization CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs