← Back
2026-03-26 20:1CVE-2026-33537GitHub_M
PUBLISHED5.2CWE-918

Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

Problem type

Affected products

LycheeOrg

Lychee

< 7.5.1 - AFFECTED

References

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287

https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287

x_refsource_CONFIRM
https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a

https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-33537
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-33537",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-26T20:01:19.377Z",
    "dateReserved": "2026-03-20T18:05:11.831Z",
    "datePublished": "2026-03-26T20:01:19.377Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-26T20:01:19.377Z"
      },
      "title": "Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked",
      "descriptions": [
        {
          "lang": "en",
          "value": "Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue."
        }
      ],
      "affected": [
        {
          "vendor": "LycheeOrg",
          "product": "Lychee",
          "versions": [
            {
              "version": "< 7.5.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287",
          "name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a",
          "name": "https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}