CVE-2026-33537
Received Received - Intake
SSRF in Lychee Photo::fromUrl Allows Internal Network Access

Publication date: 2026-03-26

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33537
EUVD
EUVD-2026-16369
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lycheeorg lychee to 7.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33537 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application, specifically in the function that imports photos from URLs (`Photo::fromUrl`).

The vulnerability arises because the IP address validation logic is incomplete and fails to block loopback IP addresses (such as 127.0.0.1) and link-local IP addresses (such as 169.254.x.x). This means an authenticated user can bypass security settings designed to prevent access to internal network resources by specifying these IP addresses directly.

The issue is due to the use of PHP's `filter_var` function with only the `FILTER_FLAG_NO_PRIV_RANGE` flag, which blocks private IP ranges but not reserved or loopback ranges. Also, the check for 'localhost' only matches the hostname string and does not cover loopback IP addresses.

This allows attackers to reach internal services, including sensitive endpoints like the AWS EC2 metadata service, potentially exposing sensitive information.

The vulnerability was fixed in Lychee version 7.5.1 by enhancing IP validation to block both private and reserved IP ranges and expanding the localhost check to include loopback IP addresses.

Impact Analysis

This vulnerability allows an authenticated user to perform SSRF attacks by bypassing IP validation and accessing internal network services that should be protected.

An attacker can exploit this to reach sensitive internal endpoints, such as the AWS EC2 instance metadata service, which can expose IAM credentials and other sensitive data.

Such unauthorized access to internal services can lead to information disclosure, privilege escalation, or further compromise of the internal network.

Because the vulnerability bypasses all four protection configuration settings even when set to secure defaults, it poses a significant risk to the confidentiality and integrity of internal resources.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to the Lychee application's endpoint `/api/v2/Photo::fromUrl` that include URLs with loopback (127.0.0.1) or link-local (169.254.x.x) IP addresses.

Example commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to search for such requests.

  • Using grep on web server logs to find suspicious POST requests: grep -i 'POST /api/v2/Photo::fromUrl' /var/log/nginx/access.log | grep -E '127\.0\.0\.1|169\.254\.'
  • Using tcpdump to capture HTTP traffic containing loopback or link-local IPs: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) != 0))' | grep -E '127\.0\.0\.1|169\.254\.'

Additionally, reviewing application logs for calls to the `Photo::fromUrl` function with URLs containing these IP ranges can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the Lychee application to version 7.5.1 or later, which contains the fix for this vulnerability.

The fix includes enhanced IP validation that blocks loopback, link-local, private, and reserved IP addresses by using both FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags, and expands localhost checks to include IP addresses such as 127.0.0.1 and ::1.

If upgrading immediately is not possible, consider restricting access to the vulnerable endpoint `/api/v2/Photo::fromUrl` to trusted users only and implementing network-level controls to block outgoing requests to internal IP ranges from the application server.

Compliance Impact

CVE-2026-33537 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application that allows authenticated users to bypass IP validation and access internal services, including sensitive endpoints such as the AWS EC2 metadata service. This could potentially expose sensitive information like IAM credentials.

While the provided context and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to access internal services and sensitive metadata through SSRF could lead to unauthorized data access or data breaches. Such incidents may impact compliance with data protection regulations that require safeguarding personal and sensitive data.

Therefore, organizations using vulnerable versions of Lychee might face increased risk of non-compliance with regulations that mandate strict access controls and protection of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart