What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
Explanation of Vulnerability in Simple Terms
02Summary
User Profile Picture versions 2.6.3 and earlier contain an authorization flaw that allows high-privileged users to modify data they should not have access to. The vulnerability requires administrator-level access and does not affect confidentiality or availability. A patch is available in versions newer than 2.6.3.
What an attacker can do
03Attacker Capabilities
Modify data within the application if they have administrator privileges.
Potential impact on your site
04Site Impact
Administrators with malicious intent or compromised admin accounts can alter application data in unintended ways.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the site.
Key dates
06Disclosure timeline
July 13, 2026
CVE published
July 13, 2026
Record updated