CVE-2026-7714 Overview
CVE-2026-7714 is a missing authentication vulnerability [CWE-287] in Calibre-Web-Automated, an open-source fork of Calibre-Web maintained by crocodilestick. The flaw resides in cps/cwa_functions.py and exposes administrative functionality without requiring authentication. Versions up to and including 4.0.6 are affected. A remote attacker can reach the vulnerable Admin Endpoint over the network without credentials or user interaction. A proof-of-concept exploit has been published publicly. The maintainer was notified through a pull request but has not yet released a fix at the time of disclosure.
Critical Impact
Unauthenticated remote attackers can interact with administrative functions in cps/cwa_functions.py, leading to limited integrity and availability impact on the application.
Affected Products
- crocodilestick Calibre-Web-Automated versions up to 4.0.6
- The vulnerable component: cps/cwa_functions.py (Admin Endpoint)
- Self-hosted Calibre-Web-Automated deployments exposed to untrusted networks
Discovery Timeline
- 2026-05-04 - CVE-2026-7714 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7714
Vulnerability Analysis
Calibre-Web-Automated extends Calibre-Web with automation features for managing eBook libraries. The application defines administrative routes in cps/cwa_functions.py that should be restricted to authenticated administrators. One or more handlers in this file omit the authentication decorator or session check, allowing any unauthenticated HTTP client to invoke them.
Because the endpoint is reachable over the network, a remote attacker only needs network access to the application to trigger the issue. The CVSS vector indicates limited integrity and availability impact, with no direct confidentiality loss. In practical terms, attackers can manipulate administrative state in ways that affect application behavior and stability without first compromising a valid account.
Root Cause
The root cause is missing authentication on sensitive routes [CWE-287]. Authentication enforcement in the Calibre-Web codebase typically relies on Flask login decorators applied to view functions. The handlers introduced or modified in cps/cwa_functions.py lack this enforcement, breaking the trust boundary expected for the Admin Endpoint. A community pull request referenced in the project tracker proposes adding the missing authentication checks.
Attack Vector
The attack is purely network-based. An attacker sends crafted HTTP requests directly to the affected admin routes exposed by cps/cwa_functions.py. No privileges, credentials, or user interaction are required. Deployments behind authenticated reverse proxies, VPNs, or zero-trust gateways reduce exposure, but installations published to the internet, including those on home labs and small business NAS devices, are directly reachable. The published proof-of-concept demonstrates the request flow needed to reach the unauthenticated handlers.
For technical details, refer to the GitHub Gist PoC, the GitHub Issue Discussion, and the proposed Pull Request.
Detection Methods for CVE-2026-7714
Indicators of Compromise
- Unexpected HTTP requests to administrative paths served by cps/cwa_functions.py originating from unauthenticated sessions or unfamiliar IP addresses.
- Application log entries showing administrative actions without a corresponding authenticated user identifier.
- Sudden configuration, library, or scheduler changes in Calibre-Web-Automated that no administrator initiated.
Detection Strategies
- Inspect web server and reverse proxy access logs for requests to admin routes lacking session cookies or Authorization headers.
- Compare current cps/cwa_functions.py against the upstream repository to identify handlers missing @login_required or equivalent decorators.
- Correlate administrative state changes with authentication events to surface actions taken without a valid login.
Monitoring Recommendations
- Forward Calibre-Web-Automated and reverse proxy logs to a centralized logging or SIEM platform for retention and querying.
- Alert on spikes in 200-class responses to admin URLs from external IP ranges.
- Track outbound network activity from the Calibre-Web-Automated host to identify post-exploitation behavior.
How to Mitigate CVE-2026-7714
Immediate Actions Required
- Remove direct internet exposure of Calibre-Web-Automated and place it behind an authenticated reverse proxy or VPN.
- Restrict access to the application using network ACLs or firewall rules limited to trusted source IP ranges.
- Audit administrator accounts, scheduled jobs, and library configuration for unauthorized modifications.
Patch Information
No official patched release is available at the time of publication. The maintainer has been notified via the GitHub Issue Discussion and a community-submitted Pull Request proposes adding the missing authentication checks to cps/cwa_functions.py. Operators should monitor the GitHub Project Repository for an upstream fix and update once a patched version above 4.0.6 is published.
Workarounds
- Front the application with a reverse proxy such as nginx, Caddy, or Traefik that enforces HTTP basic authentication or single sign-on before requests reach Calibre-Web-Automated.
- Apply the community-submitted patch from the open pull request to a local fork after reviewing the diff against cps/cwa_functions.py.
- Bind the service to a loopback or private interface only and access it through an authenticated tunnel such as WireGuard or Tailscale.
# Example: restrict Calibre-Web-Automated admin paths behind nginx basic auth
location ~ ^/(admin|cwa) {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://127.0.0.1:8083;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
