CVE-2026-39957
MEDIUMLychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users
Title source: cnaDescription
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
References (3)
Scores
CVSS v3
4.3
EPSS
0.0003
EPSS Percentile
9.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (2)
lycheeorg/lychee
< 7.5.4
LycheeOrg/Lychee
< 7.5.4
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026