CVE-2026-39957
SQL Operator-Precedence Bug in Lychee Allows Unauthorized Data Access
Publication date: 2026-04-09
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lycheeorg | lychee | to 7.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39957 is a broken access control vulnerability in the Lychee photo management application, specifically in the SharingController::listAll() method. The issue arises from a SQL operator-precedence bug in the query that retrieves sharing permissions. The query incorrectly applies an OR condition without proper grouping, causing the ownership filter to be bypassed.
This means that any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. The leaked information includes private album IDs and titles owned by others, as well as user group IDs and names associated with those albums.
The vulnerability is caused by improper SQL query construction where the orWhereNotNull('user_group_id') clause is applied at the top-level with an OR operator, effectively bypassing the intended ownership restrictions.
How can this vulnerability impact me? :
This vulnerability allows an authenticated non-admin user with upload permissions who owns at least one album to access sharing permissions data for all user groups across the entire Lychee instance.
As a result, private album information owned by other users, including album IDs, titles, and associated user group details, can be exposed to unauthorized users.
This leads to unauthorized disclosure of sensitive sharing metadata, potentially compromising privacy and confidentiality within the photo management system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a broken access control in the Lychee photo management application, specifically in the SharingController::listAll() method. Detection involves verifying if an authenticated non-admin user with upload permission can retrieve sharing permissions for albums they do not own, including private albums of other users.
To detect exploitation or presence of this vulnerability, you can monitor or test the behavior of the sharing permissions API or database queries related to access permissions.
- Authenticate as a non-admin user with upload permission who owns at least one album.
- Invoke the API endpoint or function that lists sharing permissions (e.g., the endpoint that triggers SharingController::listAll()).
- Check if the response includes sharing permissions related to user groups or private albums not owned by the authenticated user.
For command-line detection, you might use curl or similar tools to simulate such requests, for example:
- curl -X GET -H "Authorization: Bearer <token_of_non_admin_user>" https://<lychee-instance>/api/sharing/listAll
Then analyze the returned data for sharing permissions that should not be accessible to that user.
Additionally, reviewing the source code or database queries for the presence of the vulnerable SQL pattern can help detect the vulnerability:
- Look for queries in SharingController.php around lines 131-139 that use separate whereNotNull and orWhereNotNull calls without proper grouping.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Lychee to version 7.5.4 or later, where this vulnerability has been fixed.
The fix involves correcting the SQL query logic in the SharingController::listAll() method to properly group the OR conditions, preventing unauthorized access to sharing permissions.
- Update your Lychee installation to version 7.5.4 or newer.
- If immediate upgrade is not possible, consider restricting upload permissions to trusted users only, as the vulnerability requires an authenticated user with upload permission.
- Audit user permissions and remove upload rights from users who do not require them.
Review and monitor access logs for suspicious access patterns related to sharing permissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39957 is a low-severity broken access control vulnerability in the Lychee photo management application that allows authenticated non-admin users with upload permissions to retrieve user-group-based sharing permissions across the entire instance, including private albums owned by other users.
This unauthorized disclosure of private album sharing metadata could potentially lead to exposure of personal or sensitive information, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict access controls and protection of private data.
Although the vulnerability is classified as low severity with limited confidentiality impact, the leakage of private album IDs, titles, and associated user group information could be considered a violation of privacy and data minimization principles mandated by these standards.
Therefore, organizations using affected versions of Lychee prior to 7.5.4 should consider this vulnerability as a risk to compliance and apply the fix to prevent unauthorized data disclosure.