Broken Object Level Authorization Vulnerability in LibrePhotos from LibrePhotos
CVE-2026-57943

6MEDIUM

Key Information:

Vendor

Librephotos

Status
Librephotos
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57943?

LibrePhotos prior to version 1.0.0 is affected by a vulnerability that allows authenticated users to access other users' private photos. This issue occurs in the SetPhotosShared endpoint, where users can exploit a lack of ownership validation to manipulate relationships, enabling them to read private photos that do not belong to them. The flaw results from insufficient checks over user permissions, potentially exposing sensitive data to unauthorized individuals.

Affected Version(s)

librephotos 0 < 1.0.0

References

https://github.com/LibrePhotos/librephotos/releases/tag/1...
release-notes
https://github.com/LibrePhotos/librephotos/issues/1860
technical-description
https://github.com/LibrePhotos/librephotos/pull/1866
issue-tracking

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.