GHSA-2h2f-frxq-r68wMediumCVSS 4.3
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows...
🔗 CVE IDs covered (1)
📋 Description
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-57945
- https://github.com/photoprism/photoprism/issues/5619
- https://github.com/photoprism/photoprism/releases/tag/260601-a7d098548
- https://www.vulncheck.com/advisories/photoprism-unauthorized-user-profile-modification-via-put-api-v1-users-uid-endpoint
- https://github.com/advisories/GHSA-2h2f-frxq-r68w