PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55417 chevereto CVE debrief

CVE-2026-55417 is a vulnerability in Chevereto, a self-hosted media-sharing platform. When a user enables the private profile option, their profile HTML route (/username) correctly returns 404. However, the /json AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. The vulnerability exists due to inconsistent access control checks between the profile HTML route and the /json AJAX listing endpoint.

Vendor
chevereto
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Chevereto, especially those with private profiles, should be aware of this vulnerability and ensure they are running version 4.5.4 or later to prevent unauthorized access to their publicly-scoped images. Additionally, administrators and security teams managing Chevereto deployments should review user profiles, monitor for unauthorized access, and apply the necessary updates.

Technical summary

The vulnerability exists in Chevereto versions 3.7.5 to 4.5.3. When a user enables the private profile option, the platform correctly returns a 404 error for their profile HTML route (/username). However, the /json AJAX listing endpoint does not enforce the same access control, allowing an unauthenticated attacker who knows the target user's ID to retrieve their publicly-scoped images. This results in the disclosure of the username, which is intended to be private. The issue arises from the lack of consistent access control checks between different endpoints.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to Chevereto version 4.5.4 or later
  • Review and update user profiles to ensure private profiles are correctly configured
  • Monitor for unauthorized access to publicly-scoped images
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-07T21:17:27.160Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The source item URL for CVE-2026-55417 is available but details are limited. Defenders should verify the affected scope and vendor guidance with the official CVE record and NVD detail page.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:27.160Z and has not been modified since then. The NVD entry is currently Received.