CVE-2026-55417 in Chevereto
Summary
by MITRE • 07/08/2026
Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (`/username`) correctly returns 404. However, the `/json` AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. No known workarounds are available.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
This vulnerability exists within Chevereto's authentication and authorization mechanisms, specifically affecting the platform's handling of private user profiles across different API endpoints. The issue stems from inconsistent security checks between the HTML profile route and the JSON AJAX endpoint, creating a privilege escalation vector that allows unauthorized access to private content. When users enable private profiles, the system correctly blocks direct HTML access to their profiles with a 404 error response, but fails to apply equivalent access controls to the underlying JSON API endpoint designed for AJAX functionality.
The technical flaw manifests as a broken access control pattern where the `/json` endpoint does not validate whether the requesting user has proper authorization to view the target profile's content. This creates a scenario where an attacker can construct requests to the `/username/json` endpoint using known user IDs, bypassing the intended privacy controls. The vulnerability operates at the application layer and represents a classic case of insufficient authorization checks, which aligns with CWE-285: "Improper Authorization" and potentially CWE-668: "Exposure of Resource to Wrong Sphere". The flaw enables information disclosure by allowing unauthenticated users to enumerate publicly-scoped images from private profiles, effectively leaking usernames that should remain hidden.
The operational impact of this vulnerability is significant for user privacy and data protection. Attackers can discover and map out private user bases within the platform, potentially identifying high-value targets for further exploitation or social engineering attacks. The disclosure of usernames through image metadata reveals user activity patterns and personal information that users reasonably expect to keep private. This type of vulnerability can be categorized under the MITRE ATT&CK framework as T1087.001: "Account Discovery" and potentially T1213.002: "Data from Information Repositories" when considering the enumeration of user data through API endpoints.
The security implications extend beyond simple information disclosure, as this vulnerability demonstrates a fundamental flaw in how Chevereto handles access control consistency across its API surface. The lack of proper input validation and authorization checks at the JSON endpoint creates a persistent risk that could be exploited by automated tools to systematically discover private content. Organizations using Chevereto should implement immediate mitigations including updating to version 4.5.4 or higher, which addresses the inconsistency in access control enforcement between HTML and JSON endpoints. Without known workarounds available, administrators must prioritize patching this vulnerability to prevent unauthorized enumeration of private user data and maintain the integrity of user privacy controls within their media sharing platform.