Description
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhotoPrism before release 260601-a7d098548 contains a broken access control flaw that allows any authenticated non‑admin user to modify the profile information of any other user by sending a PUT request to /api/v1/users/{uid}. The missing validation that ties the session user to the target uid lets an attacker overwrite another user’s profile details without permission. As a result, an attacker can impersonate a user, publish false information, or otherwise compromise the integrity of user data.

Affected Systems

The vulnerable product is PhotoPrism (vendor photoprism), affecting all installations running a version earlier than 260601-a7d098548. No additional versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact; the EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability requires the attacker to already be authenticated as a non‑admin user and to have network access to the API endpoint. Based on the description, the likely attack vector is a remote authenticated request to the web service, which can be leveraged once a legitimate user account with limited privileges is compromised or created.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PhotoPrism to version 260601-a7d098548 or later, which patches the session‑to‑uid validation bug.
  • Restrict the PUT /api/v1/users/{uid} endpoint so that only the owner of the uid can modify their profile; this can be done by adjusting authorization rules in the application or via a reverse‑proxy configuration.
  • If upgrading is not immediately possible, reduce the permissions of all non‑admin users so they cannot alter user profiles, thereby mitigating the unauthorized modification risk on the current version.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Photoprism
Photoprism photoprism
Vendors & Products Photoprism
Photoprism photoprism

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
Title PhotoPrism - Unauthorized User Profile Modification via PUT /api/v1/users/{uid} Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Photoprism Photoprism
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T17:18:05.557Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57945

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:02Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key