CVE-2026-47202

Vulnerability

In Kavita versions prior to 0.9.0.2, the token validation logic is improperly implemented, allowing a remote and unauthenticated attacker to request a JSON Web Token (JWT) for any user, including administrators, provided they know the target's username. The underlying weaknesses are classified as CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-697 (Incorrect Comparison) [2]. The vulnerability was confirmed in container images ghcr.io/kareadita/kavita:0.9.0 and 0.8.9.1 [2].

Exploitation

An attacker needs only knowledge of a valid username (no authentication or user interaction required). By sending a crafted request to the token endpoint, the attacker can obtain a valid JWT for that user [2]. The attack is remote and does not require any prior access or special network position.

Impact

Successful exploitation grants the attacker a valid JWT for the targeted user, enabling full account takeover. For administrative accounts, this results in complete compromise of the Kavita instance, including access to all reading lists, series, and user data. The vulnerability is rated Critical with a CVSSv4 score of 9.3 [2].

Mitigation

The vulnerability is fixed in Kavita version 0.9.0.2, released on 2026-05-26 [1]. All users are strongly advised to update immediately. No workarounds have been published, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.