CVE-2026-27833 Overview
CVE-2026-27833 is a Missing Authorization vulnerability (CWE-862) affecting Piwigo, an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This represents a significant privacy breach as attackers can harvest sensitive visitor activity data without any authentication.
Critical Impact
Unauthenticated attackers can access complete browsing history of all gallery visitors, exposing sensitive user activity data and potentially enabling further targeted attacks.
Affected Products
- Piwigo versions prior to 16.3.0
- Self-hosted Piwigo installations with default API configurations
- Any Piwigo deployment exposing the pwg.history.search API endpoint
Discovery Timeline
- April 3, 2026 - CVE-2026-27833 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27833
Vulnerability Analysis
The vulnerability exists in Piwigo's API registration mechanism where the pwg.history.search endpoint was incorrectly configured without proper access controls. This API method provides access to visitor browsing history, including which images and albums were viewed, timestamps of access, and potentially visitor IP addresses or session identifiers.
The missing admin_only flag in the API method registration allows any remote attacker to query this sensitive endpoint without authentication. This is a classic example of a Broken Access Control vulnerability where sensitive administrative functionality is inadvertently exposed to unauthorized users.
The network-accessible nature of this vulnerability means that any internet-facing Piwigo installation is potentially at risk, with no user interaction required for exploitation.
Root Cause
The root cause is a missing authorization check in the API method registration. When the pwg.history.search method was registered with the Piwigo API framework, the admin_only configuration option was not set, effectively making the endpoint publicly accessible. This type of oversight commonly occurs when developers add new API functionality without following consistent security patterns for access control.
Attack Vector
An attacker can exploit this vulnerability by sending unauthenticated HTTP requests to the Piwigo API endpoint. The attack is straightforward and requires no special tools or privileges:
- The attacker identifies a Piwigo installation (version prior to 16.3.0)
- The attacker sends a direct HTTP request to the pwg.history.search API method
- Without any authentication, the server returns complete browsing history data
- The attacker can harvest visitor information including viewing patterns, timestamps, and potentially user identifiers
The vulnerability is exploitable remotely over the network with low attack complexity and no user interaction required. The primary impact is confidentiality loss as the complete browsing history of all gallery visitors becomes exposed to unauthorized parties.
Detection Methods for CVE-2026-27833
Indicators of Compromise
- Unusual volume of requests to the pwg.history.search API endpoint from external IP addresses
- API access logs showing unauthenticated requests to history search functionality
- Requests to Piwigo API endpoints without corresponding authentication tokens or session cookies
- Automated scanning patterns targeting known Piwigo API methods
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on unauthenticated API requests to sensitive endpoints
- Enable detailed logging for all Piwigo API calls and establish baseline access patterns
- Deploy intrusion detection signatures that identify bulk data extraction patterns from the history API
- Monitor for reconnaissance activity targeting Piwigo version fingerprinting
Monitoring Recommendations
- Configure alerts for any unauthenticated access attempts to administrative API endpoints
- Establish rate limiting on API endpoints to detect and slow automated extraction attempts
- Review access logs regularly for anomalous patterns in history search queries
- Implement network-level monitoring for large data transfers from Piwigo servers
How to Mitigate CVE-2026-27833
Immediate Actions Required
- Upgrade Piwigo to version 16.3.0 or later immediately
- If immediate upgrade is not possible, restrict network access to Piwigo API endpoints using firewall rules
- Review API access logs for any evidence of prior exploitation
- Consider temporarily disabling the history search functionality if upgrading is not immediately feasible
Patch Information
Piwigo has released version 16.3.0 which addresses this vulnerability by properly configuring the pwg.history.search API method with appropriate authorization requirements. The fix is available in commit d05c16561ce3692ca922199f8c8d7b1a45893f1c. Organizations should review the GitHub Security Advisory and the official release notes for complete patching guidance.
Workarounds
- Restrict access to the Piwigo API at the web server or reverse proxy level to trusted IP addresses only
- Implement authentication requirements at the web server level (e.g., HTTP Basic Auth) for all API endpoints as a temporary measure
- Use firewall rules to block external access to /ws.php or API-related paths until patching is complete
- Consider taking the gallery offline temporarily if it contains highly sensitive visitor activity data
# Example nginx configuration to restrict API access temporarily
location ~ ^/ws\.php {
# Allow only internal/trusted networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Standard Piwigo PHP processing
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
