Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports. Details Creating a private message report by POSTing to /api/v3/private_message/report does not validate whether the reporter is the recipient of the message. At least lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the private_message_report_view with all the details of the report, including the private message that has been reported: Example response In the report below, the creator with id 3 is different from the private message creator (id 2) and private message recipient (id 6). “`json { "private_message_report_view": { "private_message_report": { "id": 14, "creator_id": 3, "private_message_id": 7, "original_pm_text": "testfoo", "reason": "reporting id 7", "resolved": false, "published": "2023-12-15T19:23:03.441967Z" }, "private_message": { "id": 7, "creator_id": 2, "recipient_id": 6, "content":…Read More