In October 2025, a critical server-side flaw in Instagram made it possible for unauthenticated attackers to view private photos and captions without needing to log in or to follow the account. Instagram silently patched the vulnerability.

Here’s how the PoC worked…

Credit: youtube.com/@jatinbanga4978

Writeup: https://medium.com/@jatin.b.rx3/i-found-a-bug-that-exposed-private-instagram-posts-to-anyone-eebb7923f7e3