Improper Token Validation in Kavita Reading Server
CVE-2026-47202

9.3CRITICAL

Key Information:

Vendor: Kareadita
Status: Kavita
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-47202?

Kavita is a cross-platform reading server that has a flaw in its token validation mechanism. Specifically, versions prior to 0.9.0.2 allow a remote and unauthenticated attacker to generate a JSON Web Token (JWT) for any user, including those with administrative privileges, provided they know the username of the target. This vulnerability could potentially lead to unauthorized access and manipulation of user accounts, emphasizing the importance of upgrading to version 0.9.0.2 or later to mitigate this risk.

Affected Version(s)

Kavita < 0.9.0.2

References

https://github.com/Kareadita/Kavita/security/advisories/G...

x_refsource_CONFIRM

https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47202 Data

JSON