PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47202 Kareadita CVE debrief

A critical authentication bypass vulnerability in Kavita, a cross-platform reading server, allows remote unauthenticated attackers to obtain valid JWT tokens for any user—including administrators—by knowing only the target username. The flaw stems from improper token validation (CWE-287, CWE-345, CWE-697) in versions prior to 0.9.0.2. Successful exploitation grants full administrative access to the affected instance without requiring any credentials. The vulnerability was disclosed on May 26, 2026, with a fix released in version 0.9.0.2. Organizations running Kavita should prioritize upgrading to the patched version immediately, as this vulnerability enables complete account takeover with minimal attacker effort.

Vendor
Kareadita
Product
Kavita
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations and individuals self-hosting Kavita reading server instances, particularly those with administrative accounts managing sensitive content libraries. Security teams responsible for application security in media server environments. DevOps practitioners managing Kavita deployments who need to prioritize patching schedules.

Technical summary

Kavita versions prior to 0.9.0.2 contain an improper token validation vulnerability that allows remote unauthenticated attackers to request valid JWT authentication tokens for arbitrary user accounts, including administrative accounts, with knowledge of only the target username. The vulnerability is classified under CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-697 (Incorrect Comparison). The CVSS 4.0 score of 9.3 reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high impacts to confidentiality and integrity. The vulnerability was fixed in Kavita version 0.9.0.2 released on May 26, 2026.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Kavita to version 0.9.0.2 or later immediately to remediate the improper token validation vulnerability
  • Review authentication logs for suspicious JWT token requests or unauthorized administrative access prior to patching
  • Invalidate all existing JWT tokens and force re-authentication for all users after upgrading to prevent use of attacker-obtained tokens
  • Implement network segmentation to restrict Kavita instance access to authorized users only until patching is complete
  • Monitor for unauthorized account access attempts, particularly for administrative accounts, as indicators of potential exploitation

Evidence notes

Vulnerability description and CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) confirm network-exploitable, unauthenticated access with high confidentiality and integrity impact. CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-697 (Incorrect Comparison) identified as root causes. Fix version 0.9.0.2 confirmed via vendor release notes.

Official resources

2026-05-26