CVE-2026-57943
MediumCVSS 5.9Summary
A vulnerability in LibrePhotos before version 1.0.0 in the SetPhotosShared endpoint allows authenticated users to bypass ownership validation and grant themselves access to other users' private photos. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos.
Risk Assessment
The risk involves unauthorized access to other users' private photos, potentially leading to privacy breaches and leakage of sensitive data within the organization.
Recommendation
Immediately update LibrePhotos to version 1.0.0 or later, which includes a fix for the broken object level authorization vulnerability.
Original NVD description (English source)
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.

