Lychee Cross-User Authorization Vulnerability in Album Password Unlock Functionality

A vulnerability in Lychee photo management tool, prior to version 7.1.0, allows users to gain unauthorized access to other users' password-protected albums. This issue arises because, when a user unlocks a password-protected public album, all other public albums with the same password are also unlocked, creating a complete authorization bypass. The vulnerability is rooted in the album password propagation feature, which was intended to enhance user experience but inadvertently compromised privacy and security in multi-user scenarios.

Impact

Exploitation of this vulnerability allows unauthorized access to private photos and content in other users' password-protected albums, exposing all album contents, metadata, and photos to unauthorized users.

Reproduction

To reproduce this vulnerability, unlock a password-protected public album on a multi-user Lychee installation. The system will automatically unlock all other public albums with the same password, bypassing authorization checks and granting access to potentially sensitive content.

Remediation

Users are advised to update to Lychee version 7.1.0, where this vulnerability has been fixed.