GHSA-95q8-x6r6-672m: Lemmy may expose private community data through community, saved, liked, and modlog API views

May 6, 2026

Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community sidebar and summary fields. Alice, a former accepted follower, can still read saved and liked private post bodies after she leaves. An unauthenticated visitor can read private community metadata and removed private post names through the modlog.

References

github.com/LemmyNet/lemmy
github.com/LemmyNet/lemmy/commit/637151121a8e27b2b8c95e98d6f86966b31b4a6d
github.com/LemmyNet/lemmy/security/advisories/GHSA-95q8-x6r6-672m
github.com/advisories/GHSA-95q8-x6r6-672m

Code Behaviors & Features

Detect and mitigate GHSA-95q8-x6r6-672m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →