Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
Published: 2026-03-26
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Server‑Side Request Forgery via DNS rebinding
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from a flaw in Lychee’s SSRF filter, which verifies only literal IP addresses. When the application receives a domain name that resolves to a private network address, the IP‐validation step is bypassed, permitting outbound HTTP requests to internal resources. This can expose sensitive services or data on the internal network and provide a foothold for further attacks. The weakness is an SSRF scenario, classed as a server‑side request forgery.

Affected Systems

Lychee installations from the official repository before version 7.5.2 are affected. Any deployment running these releases that processes external URLs through the PhotoUrlRule component is vulnerable.

Risk and Exploitability

The assigned CVSS score of 2.3 reflects a low severity level; no EPSS score is available and the issue is not listed in the CISA known‑exploited vulnerabilities catalog. Exploiting the flaw requires an attacker to craft a DNS rebinding attack that forces the Lychee server to resolve a domain to an internal IP address. While this does not grant code execution on the host, it enables the attacker to probe or communicate with services behind the firewall, depending on the internal network’s exposure.

Generated by OpenCVE AI on March 26, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lychee to version 7.5.2 or newer
  • If an upgrade cannot be performed immediately, limit outbound connections from the Lychee instance to a whitelist of trusted IPs and domains
  • Verify that the SSRF protection logic no longer skips host validation by testing with controlled inputs

Generated by OpenCVE AI on March 26, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lycheeorg
Lycheeorg lychee
Vendors & Products Lycheeorg
Lycheeorg lychee

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
Title Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Lycheeorg Lychee
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:04:18.728Z

Reserved: 2026-03-23T15:23:42.216Z

Link: CVE-2026-33644

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:07.793

Modified: 2026-03-26T21:17:07.793

Link: CVE-2026-33644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:40Z

Weaknesses