Skip to content
Threat Feed
medium advisory

Piwigo Unauthenticated History Search Access

Piwigo versions prior to 16.3.0 expose the full browsing history of gallery visitors to unauthenticated users via the pwg.history.search API method due to a missing authorization check.

Piwigo, an open-source photo gallery application, contains a vulnerability (CVE-2026-27833) affecting versions prior to 16.3.0. The vulnerability lies within the pwg.history.search API method, which lacks an admin_only access control. This oversight allows unauthenticated users to query and retrieve the browsing history of all gallery visitors. An attacker can leverage this flaw to gain insights into user behavior, potentially exposing sensitive information about their interests and activities within the photo gallery. Piwigo version 16.3.0 addresses this vulnerability by implementing the necessary authorization check.

Attack Chain

  1. An unauthenticated attacker identifies a Piwigo instance running a version prior to 16.3.0.
  2. The attacker crafts a malicious HTTP request targeting the pwg.history.search API endpoint.
  3. The attacker sends the crafted HTTP request to the vulnerable Piwigo server.
  4. The Piwigo server, lacking proper authorization checks, processes the request without authentication.
  5. The server retrieves the browsing history of all gallery visitors from the database.
  6. The server returns the browsing history data in the HTTP response to the attacker.
  7. The attacker parses the response and analyzes the browsing history data to identify user activities and interests.

Impact

Successful exploitation of CVE-2026-27833 allows unauthenticated attackers to access sensitive user browsing history within a Piwigo photo gallery. This can lead to a privacy breach, potentially exposing user interests, activities, and even personal information gleaned from their browsing patterns. The impact is limited to information disclosure as the attacker cannot modify data, but the privacy implications can be significant for users of affected Piwigo installations.

Recommendation

  • Upgrade all Piwigo installations to version 16.3.0 or later to patch CVE-2026-27833.
  • Monitor web server logs for requests to the pwg.history.search API endpoint, especially those lacking authentication, to detect potential exploitation attempts. Deploy the Sigma rule Detect Piwigo History Search Access to identify suspicious activity.
  • Implement a Web Application Firewall (WAF) rule to block unauthorized access to the pwg.history.search API endpoint.

Detection coverage 2

Detect Piwigo History Search Access

medium

Detects unauthenticated access to the pwg.history.search API endpoint in Piwigo, indicating potential CVE-2026-27833 exploitation.

sigma tactics: discovery techniques: T1592.001 sources: webserver, linux

Detect Piwigo API Access Attempt

low

Detects access to the Piwigo API based on cs-uri-query

sigma tactics: discovery techniques: T1592.001 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

1

email

TypeValue
emailemail protected