CVE-2026-47202
CriticalSummary
Kavita is a cross-platform reading server. Prior to version 0.9.0.2, an improper token validation flaw allowed a remote and unauthenticated threat actor to request a JWT for any user, including admins, if they knew the username.
Risk Assessment
This vulnerability poses a risk of unauthorized access to user accounts, including administrator accounts, which could lead to serious security breaches.
Recommendation
It is recommended to upgrade to version 0.9.0.2 or later to mitigate this vulnerability.
Original NVD description (English source)
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.

