Broken Object Level Authorization in LibrePhotos

Executive Summary

CVE-2026-57943 is an Insecure Direct Object Reference (IDOR) vulnerability in LibrePhotos versions before 1.0.0, specifically in the SetPhotosShared endpoint.

This vulnerability allows authenticated users to bypass ownership validation and grant themselves access to other users' private photos by manipulating the shared_to relations.

The root cause is a missing ownership check when resolving photos by image hash, which lets attackers add themselves to the shared_to list of photos they do not own, thereby gaining unauthorized read access to private photos including originals and thumbnails.

The flaw also affects the unshare functionality, allowing users to remove legitimate shares improperly.

The vulnerability was confirmed with a proof-of-concept and is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-57943 allows authenticated users to bypass ownership validation and access private photos of other users without authorization. This unauthorized disclosure of private data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive information.

Specifically, the vulnerability exposes private photos, which may be considered personal data under GDPR or protected health information under HIPAA if applicable. The failure to enforce proper authorization controls undermines confidentiality requirements and could result in non-compliance with these standards.

Therefore, organizations using vulnerable versions of LibrePhotos may face compliance risks due to potential unauthorized access and disclosure of private user data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private photos belonging to other users.

An attacker who is authenticated can manipulate sharing relations to gain read access to arbitrary private photos without proper authorization.

The confidentiality of private photos is at high risk, as attackers can view sensitive images they should not have access to.

There is also a low risk to integrity because attackers can tamper with the share state by sharing or unsharing photos improperly.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an Insecure Direct Object Reference (IDOR) in the SetPhotosShared endpoint of LibrePhotos before version 1.0.0, allowing authenticated users to bypass ownership validation and access other users' private photos.

Detection can focus on monitoring or testing the SetPhotosShared endpoint for unauthorized manipulation of the shared_to relations. Specifically, one could attempt to use authenticated API requests to share photos not owned by the user and observe if the system improperly grants access.

Since the vulnerability is related to API endpoint misuse, commands or scripts that simulate authenticated requests to the SetPhotosShared endpoint with photo identifiers not owned by the user could help detect the issue.

• Use curl or similar tools to send authenticated POST requests to the SetPhotosShared endpoint with photo hashes belonging to other users and check if the response allows sharing.
• Monitor logs for unusual sharing activity where users share photos they do not own.
• Review API access logs for suspicious patterns of shared_to relation modifications.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LibrePhotos to version 1.0.0 or later, where the vulnerability has been patched by adding ownership validation checks in the SetPhotosShared endpoint.

Until the upgrade can be performed, restrict access to the SetPhotosShared endpoint to trusted users only, and monitor for suspicious sharing activity.

Additionally, review and audit user permissions and sharing settings to detect and revert any unauthorized shares.

Useful 0 Not Useful 0