Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
Published: 2026-03-26
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via DNS rebinding
Action: Patch
AI Analysis

Impact

Lychee, a free photo‑management tool, contains a flaw that allows attackers to perform server‑side request forgery by bypassing DNS rebinding protection. In PhotoUrlRule.php, the check that validates an IP address is only executed when the hostname supplied is an IP literal. When a hostname that resolves to an internal IP is used, the validation is skipped, permitting the application to fetch arbitrary resources from internal networks. This can expose sensitive internal services or data to unauthorized parties.

Affected Systems

The vulnerability affects Lychee versions prior to 7.5.2. The product is Lychee by LycheeOrg. All releases before 7.5.2 are susceptible to the SSRF bypass demonstrated.

Risk and Exploitability

The CVSS base score is 2.3, indicating low severity, and the EPSS score is less than 1%, with no listing in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the flaw is remotely exploitable via a DNS rebinding attack: an attacker registers a DNS record that resolves to an internal IP and supplies that hostname to the PhotoUrlRule endpoint. The application then performs an outbound request to the internal resource, bypassing the intended IP check. Because this requires only an HTTP request to the vulnerable endpoint, an attacker with internet access to the Lychee instance can exploit the issue to probe or reach private network services.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading Lychee to version 7.5.2 or later.
  • Confirm that the upgraded version no longer processes the vulnerable PhotoUrlRule logic.
  • If an upgrade cannot be performed immediately, restrict external URLs to known safe hosts or temporarily disable the PhotoUrlRule functionality to prevent potential SSRF.
  • Review logs for unexpected outbound network activity and keep the application updated with future security releases.

Generated by OpenCVE AI on March 30, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
Title Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:30:40.546Z

Reserved: 2026-03-23T15:23:42.216Z

Link: CVE-2026-33644

cve-icon Vulnrichment

Updated: 2026-03-30T11:30:34.191Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:07.793

Modified: 2026-03-30T18:10:16.807

Link: CVE-2026-33644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:30Z

Weaknesses