Impact
LibrePhotos before version 1.0.0 contains a broken object‑level authorization flaw in the SetPhotosShared endpoint. The vulnerability allows an authenticated user to manipulate the shared_to relationships associated with a photo without proper ownership validation, effectively granting themselves read access to any private photo belonging to another user. This flaw exposes private user content and can lead to significant privacy violations.
Affected Systems
The affected product is LibrePhotos by librephotos_project. Any installation of LibrePhotos with a version earlier than 1.0.0 is vulnerable. No other versions or products are listed as affected.
Risk and Exploitability
The CVSS score of 6.0 indicates a medium severity vulnerability. The EPSS score is not available and the issue is not currently listed in CISA’s KEV catalog, suggesting limited public exploitation data. Attackers would need to be authenticated within the system to exploit the flaw, likely through legitimate accounts that can then modify shared relations to access other users’ private photos. Given the moderate severity and lack of widespread exploitation, the risk is still non‑negligible, especially in environments where user privacy is critical.
OpenCVE Enrichment