Lychee SQL Injection Vulnerability in SharingController Allows Unauthorized Access to Private Album Metadata

A SQL injection vulnerability has been identified in Lychee versions prior to 7.5.4. The issue arises from a SQL operator-precedence bug in the SharingController's listAll() method, where the orWhereNotNull('user_group_id') clause bypasses the ownership filter. This flaw enables authenticated non-admin users with upload permissions, who own at least one album, to access user-group-based sharing permissions across the platform, including private albums of other users.

Impact

Exploitation of this vulnerability allows unauthorized users to access and enumerate private album IDs and titles of other users, as well as user group IDs and names with access to those albums.

Reproduction

The vulnerability can be reproduced by an authenticated non-admin user with upload permission who owns at least one album. The user can then access the SharingController's listAll() method, which will inadvertently expose user-group-based sharing permissions for all albums, including private ones owned by others.

Remediation

Users can update to Lychee version 7.5.4 or later to address this vulnerability.