Bypass of Server-Side Request Forgery Protection in Lychee Photo Management Tool
CVE-2026-33644

2.3LOW

Key Information:

Vendor: Lycheeorg
Status: Lychee
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-33644?

The Lychee photo-management tool, prior to version 7.5.2, exhibits a vulnerability that allows attackers to bypass the Server-Side Request Forgery (SSRF) protection mechanisms. This vulnerability arises from how the application validates IP addresses in the PhotoUrlRule.php script. Specifically, the IP validation logic only engages when the provided hostname is an IP address, resulting in a failure to validate domain names. This oversight can be exploited through DNS rebinding attacks, potentially leading to unauthorized server requests. Users are advised to upgrade to version 7.5.2 or later to mitigate this issue.

Affected Version(s)

Lychee < 7.5.2

References

https://github.com/LycheeOrg/Lychee/security/advisories/G...

x_refsource_CONFIRM

https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab...

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33644 Data

JSON

Lycheeorg

What is CVE-2026-33644?

Affected Version(s)

References

CVSS V4

Timeline