CVE-2024-23649 is a high-severity improper authorization vulnerability (CWE-285) affecting LemmyNet's lemmy software versions from 0.17.0 up to but not including 0.19.1. Lemmy is a federated link aggregator and forum platform used in the fediverse. The vulnerability arises because the API endpoint responsible for reporting private messages (/api/v3/private_message/report) does not properly validate whether the user creating the report is authorized to do so—that is, whether they are the sender or recipient of the private message. Consequently, any authenticated user can submit a report for any private message ID, even if they are unrelated to the conversation. The API response to creating such a report includes the full contents of the private message, effectively allowing unauthorized users to enumerate and access all private messages on the instance by iterating over message IDs. This leads to a significant confidentiality breach (CWE-200). The vulnerability is exacerbated by the fact that some Lemmy instances allow open registrations without application approval, meaning an attacker can easily create an account and exploit this flaw without elevated privileges. Even in instances requiring registration approval, the privilege barrier remains low. Instance administrators can also abuse the flaw to view reports and associated private messages. The vulnerability was patched in version 0.19.1. As an interim mitigation, administrators can block the vulnerable API route at the reverse proxy level, which disables private message reporting but prevents exploitation until the patch is applied. The CVSS v3.1 base score is 7.5 (high), reflecting network exploitability without authentication or user interaction, and a high impact on confidentiality with no impact on integrity or availability.

For European organizations using Lemmy instances—particularly those hosting communities or federated forums—this vulnerability poses a serious risk to user privacy and data confidentiality. Private messages, which may contain sensitive personal or organizational information, can be exposed to unauthorized users, undermining trust in the platform and potentially violating data protection regulations such as the GDPR. The breach of confidentiality could lead to reputational damage, legal liabilities, and loss of user base. Since Lemmy is used in various communities including political, social, and professional groups, exposure of private communications could have broader societal impacts. The ease of exploitation without requiring elevated privileges or user interaction increases the likelihood of abuse. Organizations relying on Lemmy for internal or external communications must consider the risk of data leakage and potential compliance violations. Additionally, administrators could misuse the vulnerability to access private messages, raising insider threat concerns.

The primary mitigation is to upgrade all affected Lemmy instances to version 0.19.1 or later, where the vulnerability is patched. Until an upgrade is feasible, administrators should block the /api/v3/private_message/report endpoint at the reverse proxy or firewall level to prevent exploitation. This will disable the ability to report private messages but will protect against unauthorized data disclosure. It is also recommended to audit user registrations and restrict open registrations if possible, to reduce the risk of attacker account creation. Monitoring logs for unusual activity related to private message reporting or enumeration attempts can help detect exploitation attempts. Organizations should review their instance configurations to enforce strict access controls and consider implementing additional application-layer authorization checks. Finally, informing users about the issue and encouraging cautious sharing of sensitive information until the patch is applied can reduce risk.