Access Control Flaw in PhotoPrism Affects User Profiles
CVE-2026-57945

5.3MEDIUM

Key Information:

Vendor: Photoprism
Status: Photoprism
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57945?

PhotoPrism before version 260601-a7d098548 exhibits a broken access control vulnerability that permits authenticated non-admin users to alter other users' profile information. This flaw arises from inadequate validation of session-to-user identifiers within the PUT users API endpoint, enabling attackers to send requests to arbitrary user endpoints and alter profile details without necessary authorization. Organizations utilizing affected versions are advised to update promptly to mitigate the risk associated with this vulnerability.

Affected Version(s)

photoprism 0 < 260601-a7d098548

References

https://github.com/photoprism/photoprism/releases/tag/260...

release-notes

https://github.com/photoprism/photoprism/issues/5619

issue-tracking

https://www.vulncheck.com/advisories/photoprism-unauthori...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

George Chen

CVE-2026-57945 Data

JSON

Photoprism

What is CVE-2026-57945?

Affected Version(s)

References

CVSS V4

Timeline

Credit