GHSA-qxrw-f6fh-34r7: Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users

May 6, 2026

The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to /api/v4/account/auth/resend_verification_email and distinguish accounts from misses.

References

github.com/LemmyNet/lemmy
github.com/LemmyNet/lemmy/commit/4afff1699d08920b9a9023e81b229d772b894d91
github.com/LemmyNet/lemmy/security/advisories/GHSA-qxrw-f6fh-34r7
github.com/advisories/GHSA-qxrw-f6fh-34r7

Code Behaviors & Features

Detect and mitigate GHSA-qxrw-f6fh-34r7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →