Impact
PhotoPrism before release 260601-a7d098548 contains a broken access control flaw that allows any authenticated non‑admin user to modify the profile information of any other user by sending a PUT request to /api/v1/users/{uid}. The missing validation that ties the session user to the target uid lets an attacker overwrite another user’s profile details without permission. As a result, an attacker can impersonate a user, publish false information, or otherwise compromise the integrity of user data.
Affected Systems
The vulnerable product is PhotoPrism (vendor photoprism), affecting all installations running a version earlier than 260601-a7d098548. No additional versions or products are listed as affected.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate impact; the EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability requires the attacker to already be authenticated as a non‑admin user and to have network access to the API endpoint. Based on the description, the likely attack vector is a remote authenticated request to the web service, which can be leveraged once a legitimate user account with limited privileges is compromised or created.
OpenCVE Enrichment