GHSA-6649-8h33-mv2cMediumCVSS 5.9

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the...

Published
June 29, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.

🔗 References (7)