CVE-2026-7713 Overview
CVE-2026-7713 affects crocodilestick Calibre-Web-Automated up to version 4.0.6. The vulnerability resides in the generate_auth_token function within cps/kobo_auth.py, part of the Kobo auth-token route. The flaw enables improper authorization [CWE-266], allowing a remote attacker with low privileges to manipulate authentication token generation. The exploit is publicly available, increasing the likelihood of opportunistic abuse against exposed instances. Version 4.0.7 addresses the issue, and the fix is tracked in commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807.
Critical Impact
Authenticated remote attackers can abuse the Kobo auth-token route in cps/kobo_auth.py to bypass authorization controls in Calibre-Web-Automated up to 4.0.6.
Affected Products
- crocodilestick Calibre-Web-Automated versions up to and including 4.0.6
- Kobo authentication route exposed via cps/kobo_auth.py
- Deployments running pre-4.0.7 builds of Calibre-Web-Automated
Discovery Timeline
- 2026-05-04 - CVE-2026-7713 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7713
Vulnerability Analysis
The vulnerability stems from improper authorization handling inside the generate_auth_token function. This function is responsible for issuing authentication tokens used by Kobo e-reader synchronization clients against the Calibre-Web-Automated server. The flaw is classified under [CWE-266] Incorrect Privilege Assignment, indicating the route does not correctly validate the requesting user's permission scope before issuing a token.
An attacker who already holds low-privilege credentials can manipulate the token-generation flow to obtain authentication material that should not be issued to that account. The result is unauthorized access to library content and synchronization endpoints typically reserved for higher-privileged accounts. The exploitation does not require user interaction and is reachable over the network.
Public exploit details have been disclosed through a GitHub Gist by menelausx and tracked in the project GitHub Issue Tracker.
Root Cause
The root cause is missing or insufficient authorization validation inside generate_auth_token in cps/kobo_auth.py. The function generates tokens without enforcing that the calling identity is entitled to the requested scope. The fix in commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807 adds the missing authorization checks before token issuance.
Attack Vector
The attacker requires network access to the Calibre-Web-Automated instance and a low-privilege authenticated session. The attacker then issues a crafted request to the Kobo auth-token route, triggering token generation with improper scope. No user interaction is needed. See the GitHub Pull Request for the corrective code path.
// No verified exploit code is published in this advisory.
// Refer to the public Gist and issue tracker linked in the references
// for technical proof-of-concept details.
Detection Methods for CVE-2026-7713
Indicators of Compromise
- Unexpected HTTP requests to the Kobo authentication endpoint exposed by cps/kobo_auth.py from low-privileged user sessions
- Anomalous issuance of Kobo synchronization tokens to accounts that do not normally use Kobo sync
- Access to library content or sync endpoints by accounts immediately after auth-token route activity
Detection Strategies
- Audit application logs for repeated calls to generate_auth_token originating from the same low-privilege account
- Compare issued Kobo tokens against the expected user role mapping and flag mismatches
- Alert on access patterns where a freshly issued token is used to reach resources outside the requesting user's normal scope
Monitoring Recommendations
- Forward Calibre-Web-Automated application and reverse-proxy logs to a centralized logging or SIEM platform for correlation
- Track the version of Calibre-Web-Automated deployed across hosts and alert on instances still running 4.0.6 or earlier
- Monitor outbound traffic from the application host for unusual data egress following Kobo token activity
How to Mitigate CVE-2026-7713
Immediate Actions Required
- Upgrade Calibre-Web-Automated to version 4.0.7 or later, which contains commit 9f50bb2c16160564c9f8777dc2ceed3eb95e4807
- Rotate any Kobo authentication tokens issued by vulnerable instances after upgrade
- Review user accounts and remove or restrict any low-privilege accounts that show abnormal token-generation activity
Patch Information
The maintainers fixed the issue in version 4.0.7. The corrective patch is identified by commit hash 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. Reference materials are available in the GitHub Commit Update and the GitHub Release v4.0.7. Operators should pull the upstream image or source from the GitHub Project Repository and redeploy.
Workarounds
- Restrict network access to the Calibre-Web-Automated instance using firewall rules or a VPN until the upgrade is applied
- Disable Kobo synchronization functionality if it is not required by the deployment
- Limit account creation and tighten password policies to reduce the pool of low-privilege accounts that could abuse the route
# Upgrade example for a Docker-based deployment
docker pull crocodilestick/calibre-web-automated:4.0.7
docker stop calibre-web-automated
docker rm calibre-web-automated
docker run -d --name calibre-web-automated \
-v /path/to/config:/config \
-v /path/to/library:/calibre-library \
-p 8083:8083 \
crocodilestick/calibre-web-automated:4.0.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
