CVE-2026-55417
Received Received - Intake

Information Disclosure in Chevereto Self-Hosted Platform

Vulnerability report for CVE-2026-55417, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (`/username`) correctly returns 404. However, the `/json` AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
chevereto chevereto to 4.5.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Chevereto, a self-hosted media-sharing platform, in versions starting from 3.7.5 up to but not including 4.5.4. When a user enables the private profile option, visiting their profile page via the HTML route correctly returns a 404 error, hiding the profile. However, the JSON AJAX endpoint that lists images does not enforce the same privacy check. As a result, an unauthenticated attacker who knows the target user's ID can access all publicly-scoped images of that user and also discover their username, which should have been private.

Impact Analysis

This vulnerability can lead to unintended disclosure of user information. Specifically, an attacker can retrieve publicly-scoped images and the username of a user who intended to keep their profile private. This could result in privacy violations, exposure of user content without consent, and potential misuse of the revealed information.

Detection Guidance

This vulnerability involves unauthorized access to a user's publicly-scoped images via the `/json` AJAX listing endpoint when the private profile option is enabled. Detection would involve checking if requests to the `/json` endpoint for user profiles return image data without proper authentication.

Since no specific detection commands or tools are provided, a possible approach is to manually test by sending HTTP requests to the `/json` endpoint of user profiles with known user IDs and observing if image data is returned without authentication.

  • Use curl to test access: `curl -i https://your-chevereto-instance.com/json?user_id=TARGET_USER_ID`
  • Check if the response contains publicly-scoped images despite the profile being set to private.
Mitigation Strategies

The vulnerability is patched in Chevereto version 4.5.4. The immediate step is to upgrade your Chevereto installation to version 4.5.4 or later.

No known workarounds are available, so upgrading is the only effective mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart