Auth bypass in Lycheeorg Lychee

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block…

Vulnerability class: Broken Access Control

EPSS: 0.000 (7.8th percentile) — read the EPSS interpretation.

Affected products

Lycheeorg Lychee — versions < 7.5.4

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-4v4c-g2jv-4g25 (x_refsource_CONFIRM)
https://github.com/LycheeOrg/Lychee/pull/4264 (x_refsource_MISC)
https://github.com/LycheeOrg/Lychee/commit/76a3f0513eca6458bf7f8c337c1ad65e59b22bcb (x_refsource_MISC)