Authenticated Profile Modification in PhotoPrism

Executive Summary

CVE-2026-57945 is a broken access control vulnerability in PhotoPrism versions before 260601-a7d098548. It allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints.

The root cause is the missing validation that the session user's identifier matches the target user identifier in the PUT /api/v1/users/{uid} API endpoint. This flaw lets attackers overwrite another user's profile details without proper authorization.

The vulnerability was fixed by enforcing an explicit check that the session user's UID matches the target UID before processing any update, ensuring non-admin users can only update their own profiles.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated non-admin user to modify other users' profile information without authorization.

Such unauthorized modifications could lead to data integrity issues, confusion among users, and potential misuse of altered profile information.

However, privileged fields like roles and permissions remain protected by admin checks, so this vulnerability does not allow privilege escalation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the PUT /api/v1/users/{uid} API endpoint for improper authorization checks. Specifically, attempts by authenticated non-admin users to modify other users' profile information can indicate the presence of the vulnerability.

To detect exploitation attempts, you can look for unusual PUT requests targeting user IDs other than the authenticated user's own UID.

Suggested commands include using curl or similar HTTP clients to test the endpoint by sending PUT requests with different user IDs while authenticated as a non-admin user, for example:

• curl -X PUT -H "Authorization: Bearer <non-admin-token>" -d '{"profileField":"newValue"}' https://<photoprism-host>/api/v1/users/<other-user-uid>
• Check server logs for PUT requests to /api/v1/users/ with user IDs that do not match the authenticated user's UID.

If such requests succeed in modifying other users' profiles, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PhotoPrism to version 260601-a7d098548 or later, where the vulnerability has been fixed by reinforcing authorization checks on the PUT /api/v1/users/{uid} endpoint.

This update ensures that non-admin users can only update their own profiles and prevents unauthorized modifications.

Additionally, the fix prevents account enumeration by returning a 403 Forbidden error for unauthorized or unknown user IDs.

If immediate upgrade is not possible, restrict access to the vulnerable API endpoint to trusted users only and monitor logs for suspicious activity.

Using Docker images from the updated release is recommended for easier deployment of the fix.

Useful 0 Not Useful 0