Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable with authenticated low-privilege access (PR:L) and enumeration requirement (AC:H); high confidentiality, low integrity, no availability impact and no scope change.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.
AnalysisAI
Broken object-level authorization (BOLA/IDOR) in LibrePhotos prior to version 1.0.0 allows any authenticated user to read private photos belonging to other users by manipulating shared_to relationship parameters in the SetPhotosShared endpoint without server-side ownership validation. The attack vector is network-accessible and requires only a low-privilege account, delivering high confidentiality impact against victim photo libraries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated account on the target LibrePhotos instance, corresponding to PR:L in the CVSS vector - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 reflects network exploitability with a low-privilege authenticated requirement (PR:L) and elevated attack complexity (AC:H), the latter implying that exploitation requires enumerating or guessing valid photo or user identifiers belonging to other accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared LibrePhotos instance crafts a POST request to the SetPhotosShared endpoint, substituting the shared_to parameter with photo IDs belonging to another user's private library. Because the server does not verify that the authenticated requester owns the referenced photos, the sharing relationship is written successfully, granting the attacker read access to the victim's private photos. … |
| Remediation | Upgrade to LibrePhotos version 1.0.0 or later, which resolves this authorization bypass via commit 325bd1f5fda71c6d56737aa09cfce0cb8106675a (pull request #1866 at https://github.com/LibrePhotos/librephotos/pull/1866). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40161
GHSA-6649-8h33-mv2c