{"id":"CVE-2026-57945","summary":"PhotoPrism - Unauthorized User Profile Modification via PUT /api/v1/users/{uid} Endpoint","details":"PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.","modified":"2026-07-16T03:31:03.482187458Z","published":"2026-06-29T17:18:05.557Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57945.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57945.json"},{"type":"ADVISORY","url":"https://github.com/photoprism/photoprism/releases/tag/260601-a7d098548"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57945"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/photoprism-unauthorized-user-profile-modification-via-put-api-v1-users-uid-endpoint"},{"type":"REPORT","url":"https://github.com/photoprism/photoprism/issues/5619"},{"type":"PACKAGE","url":"https://github.com/photoprism/photoprism"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/photoprism/photoprism","events":[{"introduced":"0"},{"fixed":"a7d098548ef1414f54b736fe4c27764cfbc6e752"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"260601-a7d098548"}],"source":["AFFECTED_FIELD","DESCRIPTION","REFERENCES"]}}],"versions":["260523-0544f71c1","260305-fad9d5395","251130-b3068414c","250321-57590c48b","250228-43447fa38","250224-834c16bc7","250223-b79d21907","240915-e1280b2fb","240711-2197af848","240531-60b3a4628","240528-977d6c0de","240523-923ee0cf7","240420-ef5f14bc4","231128-f48ff16ef","231021-9abea5b55","231011-63f708417","230923-e59851350","230719-73fa7bbe8","230625-17242fb07","230615-90a18f6e7","230607-9e086c7eb","230603-378d4746a","230513-0b780defb","230506-9de9a3540","230504-cbf48798c","230502-c405f6eff","221118-e58fee0fb","221117-3268c4de8","221116-122ebfb70","221105-7a295cab4","221104-20d180b21","221103-211eb36ea","221102-905925b4d","220901-f493607b0","220730-0e1222c83","220728-729ddd920","220629-5d7448d2","220617-0402b8d3","220614-dea9ff68","220528-efb5d710","220527-005770ca","220524-c76de0df","220517-b9c68f8f","220302-0059f429","220121-2b4c8e1f","220118-76c94a1f","220107-f5b7ef83","211215-93b26f19","211210-2cb90e7e","211203-fdb6b5e1","211130-13cfcf6d","211128-7e8974fd","211127-86c43159","211018-e200f322","211010-83b4f783","211009-d6cc8df5","211007-8f55d6f8","211002-bf015326","210925-96168e4b","210523-b1856b9d","210520-4b32bac7","210519-24b5c7e6","210518-80981c25","210505-d3e53a89","210426-da6e948f","210422-97e75b04","210222-ac5a9d5e","210217-49039368","210216-4939e36a","210211-b9595dd4","210208-9e10ba69","210128-a82061e0","210121-07e559df","210120-e7cd5e9a","210119-a5399f06","210111-cc05c430","210104-7f9e806a","210102-af71e5f7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57945.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}