Description
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Internal Network Access
Action: Patch immediately
AI Analysis

Impact

An authenticated user can exploit a flaw in Lychee’s Photo::fromUrl method that does not block loopback or link‑local IP addresses. The incomplete IP validation lets attackers force the application to issue requests to arbitrary internal addresses, thereby bypassing the four protection settings even when they are set to secure defaults. The result is unauthorized access to internal services or data, compromising the confidentiality and integrity of resources behind the network firewall.

Affected Systems

Soft‑ware installations of Lychee released before version 7.5.1 are affected. The vulnerability sits in the Photo::fromUrl functionality used when importing images via external URLs. Users running any pre‑7.5.1 release of Lychee’s open‑source photo‑management tool are at risk.

Risk and Exploitability

The problem carries a CVSS score of 5.3, indicating moderate severity. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. Exploitation requires a valid user session within the Lychee instance; the attacker supplies a target IP. Because the flaw bypasses all configured safeguards, the risk of internal network compromise is significant for deployments that do not restrict internal service access and run older releases.

Generated by OpenCVE AI on March 26, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lychee to version 7.5.1 or later to apply the official fix.
  • If upgrading immediately is not possible, block internal loopback and link‑local IP ranges at the perimeter or in the application configuration to prevent SSRF to internal services.
  • Reinforce authentication controls so that only trusted users can access the Photo::fromUrl feature.
  • Monitor application logs for internal request patterns and anomalous IP usage.

Generated by OpenCVE AI on March 26, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
Title Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:01:19.377Z

Reserved: 2026-03-20T18:05:11.831Z

Link: CVE-2026-33537

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:05.703

Modified: 2026-03-26T21:17:05.703

Link: CVE-2026-33537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:16Z

Weaknesses