CVE Catalog

CVE-2026-47202

Critical
Published: Translated: NVD NIST

Summary

Kavita is a cross-platform reading server. Prior to version 0.9.0.2, an improper token validation flaw allowed a remote and unauthenticated threat actor to request a JWT for any user, including admins, if they knew the username.

Risk Assessment

This vulnerability poses a risk of unauthorized access to user accounts, including administrator accounts, which could lead to serious security breaches.

Recommendation

It is recommended to upgrade to version 0.9.0.2 or later to mitigate this vulnerability.

Original NVD description (English source)

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS