CVE-2026-57945
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A broken access control vulnerability in PhotoPrism before version 260601-a7d098548 allows authenticated non-admin users to modify other users' profile information. The missing session-to-user identifier validation in the PUT users API endpoint enables attackers to overwrite another user's profile details without authorization.
Risk Assessment
The risk involves unauthorized modification of user data, potentially leading to account integrity compromise, privilege escalation, or identity theft within the organization.
Recommendation
Immediately update PhotoPrism to version 260601-a7d098548 or later, which includes a fix for the access control vulnerability.
Original NVD description (English source)
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.

