Description
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
Published: 2026-01-12
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass via password propagation
Action: Upgrade
AI Analysis

Impact

An authorization flaw in Lychee’s album password unlock feature allows a user to gain unauthorized access to other users’ password‑protected albums. When a public album is unlocked, the system automatically lifts the password restriction for all other public albums that share the same password, effectively bypassing the intended access controls. This flaw can lead to disclosure of private photos and content that the user was not permitted to view.

Affected Systems

The vulnerability affects environments running Lychee before version 7.1.0. It involves the LycheeOrg Lychee product, broadly described as a free, open‑source photo‑management tool. No specific sub‑components or licensing variants are identified beyond those included in the primary application.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, which further mitigates immediate risk. Based on the description, the likely attack vector involves an authenticated user who knows the password of a public album; the system then propagates that password to all other public albums with the same credential, thereby bypassing authorization checks. No additional attacker prerequisites are specified beyond knowledge of the shared password.

Generated by OpenCVE AI on April 18, 2026 at 06:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lychee to version 7.1.0 or later to apply the fix that isolates album passwords from propagating between albums.
  • If an upgrade cannot be performed immediately, avoid using the same password across multiple public albums and limit public sharing where possible to reduce the impact of the flaw.
  • Monitor application logs for repeated album unlock attempts or anomalous access patterns that may indicate exploitation of this authorization bypass.

Generated by OpenCVE AI on April 18, 2026 at 06:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
Title Lychee cross-album password propagation on Album unlocking
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:55:55.328Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22784

cve-icon Vulnrichment

Updated: 2026-01-12T18:55:50.794Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:04.127

Modified: 2026-01-16T18:39:42.707

Link: CVE-2026-22784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses