CVE Catalog

CVE-2026-57945

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

A broken access control vulnerability in PhotoPrism before version 260601-a7d098548 allows authenticated non-admin users to modify other users' profile information. The missing session-to-user identifier validation in the PUT users API endpoint enables attackers to overwrite another user's profile details without authorization.

Risk Assessment

The risk involves unauthorized modification of user data, potentially leading to account integrity compromise, privilege escalation, or identity theft within the organization.

Recommendation

Immediately update PhotoPrism to version 260601-a7d098548 or later, which includes a fix for the access control vulnerability.

Original NVD description (English source)

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS