CVE-2026-27833
Published: 03 April 2026
Summary
CVE-2026-27833 is a high-severity Missing Authorization (CWE-862) vulnerability in Piwigo Piwigo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing unauthenticated users from invoking the pwg.history.search API to access sensitive browsing history.
Applies least privilege principle to restrict the API method to admin-only access, mitigating the missing authorization flaw as patched in version 16.3.0.
Ensures configuration settings for API endpoints like pwg.history.search include required access restrictions such as admin_only to prevent exposure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public-facing Piwigo API endpoint directly enables remote unauthenticated exploitation of the web app (T1190) to retrieve stored local browsing history data (T1005).
NVD Description
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors.…
more
This issue has been patched in version 16.3.0.
Deeper analysisAI
CVE-2026-27833 affects Piwigo, an open source photo gallery application for the web, in versions prior to 16.3.0. The vulnerability stems from the pwg.history.search API method being registered without the admin_only option, which exposes the full browsing history of all gallery visitors. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no prerequisites for exploitation.
Unauthenticated attackers can exploit this vulnerability remotely by directly invoking the pwg.history.search API endpoint. Successful exploitation grants access to sensitive browsing history data from all users of the gallery, potentially revealing navigation patterns, viewed content, and user behavior across the site without requiring any privileges, user interaction, or special conditions.
The issue has been addressed in Piwigo version 16.3.0, where the patch adds the necessary admin_only restriction to the API method. Official mitigation guidance from the GitHub security advisory (GHSA-397m-gfhm-pmg2) and the project commit (d05c16561ce3692ca922199f8c8d7b1a45893f1c) recommends upgrading to the fixed release, with release notes available at piwigo.org/release-16.3.0.
Details
- CWE(s)