CVE-2026-57943 MEDIUM

CVE-2026-57943: LibrePhotos < 1.0.0 - Insecure Direct Object Reference in SetPhotosShared Endpoint

Vendor Librephotos
Product librephotos
Weakness CWE-639 · IDOR
Published June 29, 2026
Last update June 30, 2026

CVSS base score

6.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 30, 2026 Record updated