CVE-2026-39957

Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.4

Description A SQL operator-precedence bug in SharingController::listAll() allows authenticated non-admin users with upload permission who own at least one album to retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. The orWhereNotNull('user group id') clause bypasses the ownership filter applied by the when() block.

Recommendations Update to version 7.5.4 or later.