VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 19, 2022· Updated Aug 3, 2024

CVE-2022-26595

CVE-2022-26595

Description

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Liferay Portal 7.3.7, 7.4.0, 7.4.1 and DXP 7.2 fix pack 13, 7.3 fix pack 2 expose site/group lists to authenticated users due to missing permission checks.

Vulnerability

Liferay Portal versions 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13 and 7.3 fix pack 2 do not properly verify user permissions when displaying a list of sites/groups in the user's site membership assignment UI [1]. The flaw exists because the code does not enforce the ASSIGN_MEMBERS action ID filter when a user ID is provided, allowing unauthorized viewing of groups [3].

Exploitation

A remote authenticated attacker can access the site membership assignment UI to view a list of sites/groups that they should not be able to see. No special privileges or user interaction beyond authentication is required; the attacker simply navigates to the affected UI component [1][3].

Impact

The attacker gains unauthorized visibility into the list of sites and groups within the Liferay instance. This information disclosure can expose sensitive details about the organizational structure and site membership, potentially aiding further attacks. No modification or deletion of data is possible [1].

Mitigation

Liferay has addressed this vulnerability in Liferay Portal 7.4.2 and later, and in Liferay DXP 7.2 fix pack 14 and 7.3 fix pack 3 [1][3]. Users should upgrade to the fixed versions. If immediate upgrade is not possible, applying the commit that adds the _filterGroups method and the actionId parameter in the group search logic can serve as a workaround [3]. No KEV listing is reported.

References
  1. NVD - CVE-2022-26595
  2. LPS-134264 Ensure that the groups are filtered even if a userId is no… · liferay/liferay-portal@5b958de

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:release.portal.bomMaven
>= 7.4.0, < 7.4.2-ga37.4.2-ga3
com.liferay.portal:release.dxp.bomMaven
>= 7.2.0, < 7.2.10.fp137.2.10.fp13
com.liferay.portal:release.dxp.bomMaven
>= 7.3.0, < 7.3.10.fp27.3.10.fp2
com.liferay:com.liferay.site.browser.webMaven
< 6.0.56.0.5
com.liferay.portal:com.liferay.portal.implMaven
< 7.7.97.7.9

Affected products

6

Patches

1
5b958de42d93

LPS-134264 Ensure that the groups are filtered even if a userId is not passed in.

https://github.com/liferay/liferay-portalJonathan McCannJun 15, 2021via ghsa
commit
2 files changed · +40 23
  • modules/apps/site/site-browser-web/src/main/java/com/liferay/site/browser/web/internal/display/context/SiteBrowserDisplayContext.java+3 0 modified
    @@ -496,6 +496,9 @@ else if (filterManageableGroups) {
 
 			_groupParams.put("usersGroups", user.getUserId());
 		}
+		else {
+			_groupParams.put("actionId", ActionKeys.ASSIGN_MEMBERS);
+		}
 
 		_groupParams.put("site", Boolean.TRUE);
  • portal-impl/src/com/liferay/portal/service/impl/GroupLocalServiceImpl.java+37 23 modified
    @@ -4313,7 +4313,13 @@ protected Collection<Group> doSearch(
 			groups.retainAll(rolePersistence.getGroups(roleId));
 		}
 
+		String actionId = (String)params.remove("actionId");
+
 		if (userId == null) {
+			if (actionId != null) {
+				return _filterGroups(actionId, groups);
+			}
+
 			return groups;
 		}
 
@@ -4357,30 +4363,8 @@ protected Collection<Group> doSearch(
 			}
 		}
 
-		String actionId = (String)params.remove("actionId");
-
 		if (actionId != null) {
-			PermissionChecker permissionChecker =
-				PermissionThreadLocal.getPermissionChecker();
-
-			for (Group group : groups) {
-				try {
-					if (permissionChecker.isGroupAdmin(group.getGroupId()) ||
-						GroupPermissionUtil.contains(
-							permissionChecker, group.getGroupId(), actionId)) {
-
-						joinedGroups.add(group);
-					}
-				}
-				catch (PortalException portalException) {
-					if (_log.isWarnEnabled()) {
-						_log.warn(
-							"Unable to check permission for group " +
-								group.getGroupId(),
-							portalException);
-					}
-				}
-			}
+			joinedGroups.addAll(_filterGroups(actionId, groups));
 		}
 
 		if (_log.isDebugEnabled() && !params.isEmpty()) {
@@ -5214,6 +5198,36 @@ protected void validateRemoteGroup(
 
 	protected File publicLARFile;
 
+	private Collection<Group> _filterGroups(
+		String actionId, Collection<Group> groups) {
+
+		Collection<Group> filteredGroups = new HashSet<>();
+
+		PermissionChecker permissionChecker =
+			PermissionThreadLocal.getPermissionChecker();
+
+		for (Group group : groups) {
+			try {
+				if (permissionChecker.isGroupAdmin(group.getGroupId()) ||
+					GroupPermissionUtil.contains(
+						permissionChecker, group.getGroupId(), actionId)) {
+
+					filteredGroups.add(group);
+				}
+			}
+			catch (PortalException portalException) {
+				if (_log.isWarnEnabled()) {
+					_log.warn(
+						"Unable to check permission for group " +
+							group.getGroupId(),
+						portalException);
+				}
+			}
+		}
+
+		return filteredGroups;
+	}
+
 	private Map<Locale, String> _normalizeNameMap(Map<Locale, String> nameMap) {
 		Map<Locale, String> normalizedNameMap = new HashMap<>();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.