The vulnerability in PhotoPrism prior to version 260601-a7d098548 is a broken access control issue (CWE-639) where authenticated users without admin privileges can send requests to arbitrary user endpoints. Because the PUT users API endpoint does not validate that the session user matches the target user identifier, attackers can overwrite other users' profile details without authorization.

An attacker with valid authentication but without administrative rights can modify profile information of other users. This could lead to unauthorized changes in user data, potentially affecting user trust and system integrity. There is no indication of privilege escalation beyond profile modification or other system impacts.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor vendor communications for updates. Until a fix is available, restrict access to the affected API endpoint where possible or implement additional access controls to verify user identity on requests.