CVE-2026-33644
Received Received - Intake
SSRF Bypass via DNS Rebinding in Lychee PhotoUrlRule.php

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33644
EUVD
EUVD-2026-16374
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lycheeorg lychee to 7.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33644 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application prior to version 7.5.2. The issue arises because the application attempts to block requests to private or reserved IP addresses only when the hostname is directly an IP address. If a domain name is used instead, the IP validation check is bypassed due to the way the code uses PHP's filter_var function, which returns false for hostnames, skipping the private IP check.

This allows an attacker to use DNS rebinding techniques by supplying a hostname that resolves to an internal or localhost IP address, thereby bypassing the SSRF protections. An authenticated user can exploit this by sending a URL with a DNS name that resolves to internal IPs, causing the server to make requests to internal services that should normally be inaccessible.

Impact Analysis

This vulnerability allows an authenticated user to perform SSRF attacks against internal HTTP services that are normally inaccessible from outside the network. By exploiting DNS rebinding, an attacker can cause the server to make requests to internal IP addresses, including localhost and cloud metadata endpoints.

The impact includes potential exposure of sensitive information or internal infrastructure details, as the attacker can access internal services through the vulnerable photo import functionality. Although the CVSS score rates this as a low severity issue, it still poses a risk to confidentiality by enabling unauthorized internal network access.

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for requests to the Lychee photo management application's endpoint that import photos via URLs, especially POST requests to `/api/v2/Photo::fromUrl` containing URLs with hostnames that resolve to internal, private, or localhost IP addresses.

Since the vulnerability exploits DNS rebinding by using hostnames that resolve to private or reserved IPs, you can detect suspicious activity by resolving hostnames used in photo import URLs and checking if they map to private or localhost IP ranges.

Suggested commands to detect such activity include:

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the Lychee server to internal IP ranges.
  • Extract hostnames from logs or intercepted requests and resolve them using commands like `dig` or `nslookup` to check if they resolve to private or localhost IPs.
  • Example command to resolve a hostname and check its IPs: `dig +short example-hostname.com` or `nslookup example-hostname.com`.
  • Check application logs for POST requests to `/api/v2/Photo::fromUrl` with suspicious URLs.
Mitigation Strategies

The primary mitigation is to upgrade the Lychee photo management application to version 7.5.2 or later, where the vulnerability is patched.

The patch improves hostname resolution and validation by resolving hostnames to their IP addresses and blocking URLs that resolve to private, reserved, or localhost IP addresses, preventing DNS rebinding attacks.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Restrict network access from the Lychee server to internal IP ranges to prevent SSRF exploitation.
  • Configure firewall rules to block outgoing requests to private, reserved, and localhost IP ranges.
  • Disable or restrict the photo import via URL feature if feasible.
  • Monitor and audit application logs for suspicious requests attempting to exploit this vulnerability.
Compliance Impact

The vulnerability allows authenticated users to perform Server-Side Request Forgery (SSRF) attacks that can access internal HTTP services, potentially exposing sensitive information or internal infrastructure.

Such unauthorized access to internal services and sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

By enabling attackers to bypass IP validation and access internal resources, the vulnerability increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these standards.

The fix implemented in version 7.5.2 mitigates this risk by properly resolving hostnames to IP addresses and blocking requests to private, reserved, or localhost IPs, thereby helping maintain compliance with security requirements of such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart