CVE-2026-7709

Summary

A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
janeczkuCalibre-Web0.6.0affected
janeczkuCalibre-Web0.6.1affected
janeczkuCalibre-Web0.6.2affected
janeczkuCalibre-Web0.6.3affected
janeczkuCalibre-Web0.6.4affected
janeczkuCalibre-Web0.6.5affected
janeczkuCalibre-Web0.6.6affected
janeczkuCalibre-Web0.6.7affected
janeczkuCalibre-Web0.6.8affected
janeczkuCalibre-Web0.6.9affected
janeczkuCalibre-Web0.6.10affected
janeczkuCalibre-Web0.6.11affected
janeczkuCalibre-Web0.6.12affected
janeczkuCalibre-Web0.6.13affected
janeczkuCalibre-Web0.6.14affected
janeczkuCalibre-Web0.6.15affected
janeczkuCalibre-Web0.6.16affected
janeczkuCalibre-Web0.6.17affected
janeczkuCalibre-Web0.6.18affected
janeczkuCalibre-Web0.6.19affected
janeczkuCalibre-Web0.6.20affected
janeczkuCalibre-Web0.6.21affected
janeczkuCalibre-Web0.6.22affected
janeczkuCalibre-Web0.6.23affected
janeczkuCalibre-Web0.6.24affected
janeczkuCalibre-Web0.6.25affected
janeczkuCalibre-Web0.6.26affected

Weaknesses

  • CWE-285: Improper Authorization
  • CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References