Unauthorized Access Vulnerability in Chevereto Media-Sharing Platform
CVE-2026-55417
6.9MEDIUM
What is CVE-2026-55417?
Chevereto, a self-hosted media-sharing platform, has a vulnerability that allows unauthorized users to access private user images. Although the platform correctly returns a 404 error for private profile URLs, it fails to implement the same privacy measures on the '/json' AJAX endpoint. This oversight means that an unauthenticated user who knows a target's user ID can access all publicly-scoped images associated with that user, potentially exposing their username. The issue is resolved in Chevereto version 4.5.4, and no known workarounds exist.
Affected Version(s)
chevereto >= 3.7.5, < 4.5.4
chevereto/chevereto >= 4.0.5, < 4.5.4
rodber/chevereto-free >= 1.0.0
