{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "3.7.5"
              },
              {
                "fixed": "4.5.4"
              },
              {
                "introduced": "4.0.5"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "bef9ab09d501c035495e84d71a3442a5a78f16a9"
            },
            {
              "introduced": "3355a33451d51c9db0eb0541c6eb3cdf4d64263f"
            },
            {
              "fixed": "bef9ab09d501c035495e84d71a3442a5a78f16a9"
            }
          ],
          "repo": "https://github.com/chevereto/chevereto",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-h4jp-mxfx-g8xp"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55417.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "\u003e= 1.0.0"
          },
          {
            "last_affected": "\u003e= 1.0.0"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (`/username`) correctly returns 404. However, the `/json` AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. No known workarounds are available.",
  "id": "CVE-2026-55417",
  "modified": "2026-07-12T03:54:30.221952316Z",
  "published": "2026-07-07T20:02:54.306Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://chevereto.com/community/threads/chevereto-v4-5-4-announcement.16398/post-80153"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55417.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/chevereto/chevereto/security/advisories/GHSA-h4jp-mxfx-g8xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55417"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Chevereto private profile setting leaks username on /json endpoint"
}