Description
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.
Published: 2026-06-29
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibrePhotos before version 1.0.0 contains a broken object‑level authorization flaw in the SetPhotosShared endpoint. The vulnerability allows an authenticated user to manipulate the shared_to relationships associated with a photo without proper ownership validation, effectively granting themselves read access to any private photo belonging to another user. This flaw exposes private user content and can lead to significant privacy violations.

Affected Systems

The affected product is LibrePhotos by librephotos_project. Any installation of LibrePhotos with a version earlier than 1.0.0 is vulnerable. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity vulnerability. The EPSS score is not available and the issue is not currently listed in CISA’s KEV catalog, suggesting limited public exploitation data. Attackers would need to be authenticated within the system to exploit the flaw, likely through legitimate accounts that can then modify shared relations to access other users’ private photos. Given the moderate severity and lack of widespread exploitation, the risk is still non‑negligible, especially in environments where user privacy is critical.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibrePhotos to version 1.0.0 or later, which removes the broken authorization check in SetPhotosShared.
  • If an upgrade is delayed, modify the SetPhotosShared endpoint to enforce strict ownership validation, ensuring that only photos owned by the authenticated user can have their shared_to relations altered.
  • Deploy additional access control measures to verify that any shared-to relationships belong to the requesting user before granting photo read permissions.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.
Title LibrePhotos < 1.0.0 - Insecure Direct Object Reference in SetPhotosShared Endpoint
First Time appeared Librephotos Project
Librephotos Project librephotos
Weaknesses CWE-639
CPEs cpe:2.3:a:librephotos_project:librephotos:*:*:*:*:*:*:*:*
Vendors & Products Librephotos Project
Librephotos Project librephotos
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Librephotos Project Librephotos
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T11:15:45.129Z

Reserved: 2026-06-26T13:57:16.355Z

Link: CVE-2026-57943

cve-icon Vulnrichment

Updated: 2026-06-29T19:25:48.254Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:45:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key