{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T16:14:56.133Z", "dateUpdated": "2026-04-09T19:08:20.555Z"}, "containers": {"cna": {"title": "Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25"}, {"name": "https://github.com/LycheeOrg/Lychee/pull/4264", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/pull/4264"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:14:56.133Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4."}], "source": {"advisory": "GHSA-4v4c-g2jv-4g25", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T19:07:36.218379Z", "id": "CVE-2026-39957", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:08:20.555Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T16:14:56.133Z", "dateUpdated": "2026-04-09T19:08:20.555Z"}, "containers": {"cna": {"title": "Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25"}, {"name": "https://github.com/LycheeOrg/Lychee/pull/4264", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/pull/4264"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 7.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:14:56.133Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4."}], "source": {"advisory": "GHSA-4v4c-g2jv-4g25", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39957", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T19:07:36.218379Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:07:44.206Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5931780-0B36-422D-9C0B-97712E99220C", "versionEndExcluding": "7.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4."}], "id": "CVE-2026-39957", "lastModified": "2026-04-23T15:05:47.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:30.110", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/LycheeOrg/Lychee/pull/4264"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.5.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lychee", "source": "cna", "vendor": "LycheeOrg"}, "product": "lychee", "vendor": "lycheeorg"}], "analysis": {"en": {"generated_at": "2026-04-09T17:21:51.465192+00:00", "value": {"mitigation_remediation": ["Upgrade Lychee to version 7.5.4 or later."], "summary": {"action": "Apply patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All installations of Lychee older than version 7.5.4 are affected. Users of Lychee who have accounts with upload permissions and own at least one album are the vectors, but any such user can read private sharing data of other users. The fix was implemented in update 7.5.4.", "description_and_impact": "Lychee, the open\u2011source photo\u2011management application, contains a SQL operator\u2011precedence bug in the SharingController::listAll() method. This flaw causes the condition that should restrict results to the owner\u2019s own albums to be bypassed, allowing an authenticated non\u2011admin user with upload permission to retrieve the full list of user\u2011group\u2013based sharing settings, including metadata for private albums owned by other users. The vulnerability results in unauthorized disclosure of private album sharing information, exposing potentially sensitive data about other users.", "risk_and_exploitability": "Although the CVSS score is 2.3, indicating a low severity assessment, the weakness is a broken access control (CWE\u2011863) that can be exploited by legitimate users with specific permissions. The lack of EPSS data and absence from the KEV catalog suggest the vulnerability is not known to be actively exploited. The likely attack surface is the web API that lists sharing entries, which is reachable by authenticated users with upload rights. An attacker must first be authenticated, have upload rights, and own an album, after which they can issue requests to the list endpoint and obtain metadata of private albums owned by other users."}}}}, "created": "2026-04-10T08:53:01.952262+00:00", "updated": "2026-04-10T09:32:13.979644+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}