Unauthorized Access Vulnerability in Chevereto Media-Sharing Platform
CVE-2026-55417

6.9MEDIUM

Key Information:

Vendor

Chevereto

Vendor
CVE Published:
7 July 2026

What is CVE-2026-55417?

Chevereto, a self-hosted media-sharing platform, has a vulnerability that allows unauthorized users to access private user images. Although the platform correctly returns a 404 error for private profile URLs, it fails to implement the same privacy measures on the '/json' AJAX endpoint. This oversight means that an unauthenticated user who knows a target's user ID can access all publicly-scoped images associated with that user, potentially exposing their username. The issue is resolved in Chevereto version 4.5.4, and no known workarounds exist.

Affected Version(s)

chevereto >= 3.7.5, < 4.5.4

chevereto/chevereto >= 4.0.5, < 4.5.4

rodber/chevereto-free >= 1.0.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.