CVE-2026-47202— Kavita: Pre-Auth Account Takeover
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47202
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kavita: Pre-Auth Account Takeover
Source: NVD (National Vulnerability Database)
Vulnerability Description
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47202
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47202
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47202 (1)
- 🔗 Pre-Auth Account Takeover · Advisory · Kareadita/Kavita · GitHub Read full article x_refsource_CONFIRM
Vendor Pages for CVE-2026-47202 (1)
- 🔗 Release v0.9.0.2 - Security Hotfix · Kareadita/Kavita · GitHubx_refsource_MISC
Same Patch Batch · Kareadita · 2026-05-26 · 3 CVEs total
| CVE-2026-44775 | Kavita: No authentication at /api/Reader/image | |
| CVE-2026-44776 | Kavita: IDOR in /api/Download/* |
IV. Related Vulnerabilities
Same vendor: Kareadita
- CVE-2026-44776
Kavita: IDOR in /api/Download/* - CVE-2026-44775
Kavita: No authentication at /api/Reader/image - CVE-2024-39307
Cross-Site Scripting (XSS) vulnerability via crafted ebooks - CVE-2023-0919
Missing Authentication for Critical Function in kareadita/ka - CVE-2022-3993
Improper Restriction of Excessive Authentication Attempts in
Same weakness: CWE-287
- CVE-2026-44720
OpenLearnX: Critical Authentication Bypass via JWT Signature - CVE-2026-47272
pam_usb: OTP pad authentication bypass via missing system pa - CVE-2026-7876
Authentication bypass vulnerability found in Aspera High-Spe - CVE-2026-8994
Login with NEAR <= 0.3.3 - Authentication Bypass via 'accoun - CVE-2026-44847
MaxKB: Webhook Trigger Authentication Bypass
V. Comments for CVE-2026-47202
No comments yet