Lychee, the open‑source photo‑management application, contains a SQL operator‑precedence bug in the SharingController::listAll() method. This flaw causes the condition that should restrict results to the owner’s own albums to be bypassed, allowing an authenticated non‑admin user with upload permission to retrieve the full list of user‑group–based sharing settings, including metadata for private albums owned by other users. The vulnerability results in unauthorized disclosure of private album sharing information, exposing potentially sensitive data about other users.

All installations of Lychee older than version 7.5.4 are affected. Users of Lychee who have accounts with upload permissions and own at least one album are the vectors, but any such user can read private sharing data of other users. The fix was implemented in update 7.5.4.

Although the CVSS score is 2.3, indicating a low severity assessment, the weakness is a broken access control (CWE‑863) that can be exploited by legitimate users with specific permissions. The lack of EPSS data and absence from the KEV catalog suggest the vulnerability is not known to be actively exploited. The likely attack surface is the web API that lists sharing entries, which is reachable by authenticated users with upload rights. An attacker must first be authenticated, have upload rights, and own an album, after which they can issue requests to the list endpoint and obtain metadata of private albums owned by other users.