CVE-2026-33537
SSRF in Lychee Photo::fromUrl Allows Internal Network Access
Publication date: 2026-03-26
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lycheeorg | lychee | to 7.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33537 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application that allows authenticated users to bypass IP validation and access internal services, including sensitive endpoints such as the AWS EC2 metadata service. This could potentially expose sensitive information like IAM credentials.
While the provided context and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to access internal services and sensitive metadata through SSRF could lead to unauthorized data access or data breaches. Such incidents may impact compliance with data protection regulations that require safeguarding personal and sensitive data.
Therefore, organizations using vulnerable versions of Lychee might face increased risk of non-compliance with regulations that mandate strict access controls and protection of sensitive information.
Can you explain this vulnerability to me?
CVE-2026-33537 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application, specifically in the function that imports photos from URLs (`Photo::fromUrl`).
The vulnerability arises because the IP address validation logic is incomplete and fails to block loopback IP addresses (such as 127.0.0.1) and link-local IP addresses (such as 169.254.x.x). This means an authenticated user can bypass security settings designed to prevent access to internal network resources by specifying these IP addresses directly.
The issue is due to the use of PHP's `filter_var` function with only the `FILTER_FLAG_NO_PRIV_RANGE` flag, which blocks private IP ranges but not reserved or loopback ranges. Also, the check for 'localhost' only matches the hostname string and does not cover loopback IP addresses.
This allows attackers to reach internal services, including sensitive endpoints like the AWS EC2 metadata service, potentially exposing sensitive information.
The vulnerability was fixed in Lychee version 7.5.1 by enhancing IP validation to block both private and reserved IP ranges and expanding the localhost check to include loopback IP addresses.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to perform SSRF attacks by bypassing IP validation and accessing internal network services that should be protected.
An attacker can exploit this to reach sensitive internal endpoints, such as the AWS EC2 instance metadata service, which can expose IAM credentials and other sensitive data.
Such unauthorized access to internal services can lead to information disclosure, privilege escalation, or further compromise of the internal network.
Because the vulnerability bypasses all four protection configuration settings even when set to secure defaults, it poses a significant risk to the confidentiality and integrity of internal resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to the Lychee application's endpoint `/api/v2/Photo::fromUrl` that include URLs with loopback (127.0.0.1) or link-local (169.254.x.x) IP addresses.
Example commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to search for such requests.
- Using grep on web server logs to find suspicious POST requests: grep -i 'POST /api/v2/Photo::fromUrl' /var/log/nginx/access.log | grep -E '127\.0\.0\.1|169\.254\.'
- Using tcpdump to capture HTTP traffic containing loopback or link-local IPs: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) != 0))' | grep -E '127\.0\.0\.1|169\.254\.'
Additionally, reviewing application logs for calls to the `Photo::fromUrl` function with URLs containing these IP ranges can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Lychee application to version 7.5.1 or later, which contains the fix for this vulnerability.
The fix includes enhanced IP validation that blocks loopback, link-local, private, and reserved IP addresses by using both FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags, and expands localhost checks to include IP addresses such as 127.0.0.1 and ::1.
If upgrading immediately is not possible, consider restricting access to the vulnerable endpoint `/api/v2/Photo::fromUrl` to trusted users only and implementing network-level controls to block outgoing requests to internal IP ranges from the application server.