Lychee Photo Management Tool Exposed Private Album Sharing Metadata to Unauthorized Users

A critical access control flaw in the Lychee photo management software allowed authenticated users to view the private sharing permissions of every album on an instance. The vulnerability, tracked as CVE-2026-39957, stemmed from a SQL operator-precedence bug in the `SharingController::listAll()` function. This bug caused a conditional ownership filter to be bypassed, leaking metadata about which user groups had access to private albums owned by other users.

Specifically, any non-admin user with basic upload permissions could exploit this flaw, provided they owned at least one album themselves. The bug enabled them to retrieve a complete list of all user-group-based sharing permissions across the entire Lychee installation. This exposed sensitive metadata about the access controls on private photo collections, potentially revealing hidden relationships or shared content between different user groups.

The vulnerability was patched in Lychee version 7.5.4. The issue highlights the persistent security risks in open-source self-hosted software, where a single logic error in access control can compromise user privacy at scale. Administrators of affected instances are urged to upgrade immediately to prevent unauthorized data exposure.