CVE-2026-22784 Overview
An authorization bypass vulnerability has been discovered in Lychee, a free, open-source photo-management tool. Prior to version 7.1.0, a critical flaw exists in Lychee's album password unlock functionality that allows users to gain unauthorized access to other users' password-protected albums. When a user successfully unlocks a password-protected public album, the system inadvertently unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass.
Critical Impact
Unauthorized access to password-protected photo albums belonging to other users, potentially exposing private and sensitive images across multiple user accounts.
Affected Products
- Lychee Photo Management Tool versions prior to 7.1.0
Discovery Timeline
- 2026-01-12 - CVE CVE-2026-22784 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22784
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), a fundamental access control weakness where the application fails to properly restrict access to resources. The flaw resides in how Lychee implements password-based access control for public photo albums.
When multiple public albums are configured with identical passwords, the authorization logic incorrectly treats a successful unlock of one album as authorization to access all albums sharing that password. This design flaw means that a user who knows the password to their own password-protected public album (or any single public album) automatically gains access to all other public albums configured with the same password, regardless of ownership.
The vulnerability requires network access and some user interaction to exploit. An attacker needs to first gain knowledge of a password used to protect at least one public album. Once authenticated to one album, the flawed authorization logic grants access to all similarly-protected albums system-wide.
Root Cause
The root cause is improper implementation of authorization checks in the album password unlock functionality. Instead of maintaining per-album, per-user unlock state, the system appears to use a shared password validation mechanism that grants overly broad access. The authorization logic fails to scope the unlock action to the specific album being accessed, instead applying it globally to all albums with matching passwords.
Attack Vector
The attack is network-based and targets Lychee's album password unlock endpoint. An attacker would:
- Identify a Lychee instance with password-protected public albums
- Obtain or guess the password for any single public album (through legitimate access, social engineering, or brute force)
- Submit the password to unlock the known album
- The flawed authorization logic then automatically grants access to all other public albums sharing that same password
- Browse and potentially download private photos from albums belonging to other users
The vulnerability allows horizontal privilege escalation between users who happen to use identical album passwords. For more technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-22784
Indicators of Compromise
- Unusual access patterns to multiple password-protected albums from a single session or IP address
- Album access logs showing a user accessing albums they do not own after unlocking their own album
- Multiple album unlock events followed by rapid access to numerous protected albums
- Access to password-protected albums without corresponding unlock requests in application logs
Detection Strategies
- Monitor application logs for users accessing albums owned by other users after a successful password unlock
- Implement alerting on access to multiple distinct password-protected albums within a short time window
- Review audit logs for patterns where a single unlock event leads to access across multiple albums
- Deploy web application firewall (WAF) rules to detect and alert on unusual album access patterns
Monitoring Recommendations
- Enable detailed access logging for all password-protected album operations
- Implement session tracking to correlate unlock events with subsequent album access
- Create baseline metrics for normal album access patterns per user to identify anomalies
- Configure alerts for cross-user album access attempts following unlock events
How to Mitigate CVE-2026-22784
Immediate Actions Required
- Upgrade Lychee to version 7.1.0 or later immediately
- Audit password-protected public albums to identify any with shared passwords
- Encourage users to set unique passwords for each protected album
- Review access logs for any suspicious access patterns that may indicate prior exploitation
Patch Information
The vulnerability has been fixed in Lychee version 7.1.0. The fix ensures that unlocking a password-protected album only grants access to that specific album, not all albums sharing the same password. The patch can be reviewed in the GitHub commit.
Workarounds
- If immediate upgrade is not possible, ensure each password-protected album uses a unique password
- Temporarily disable password-protected public albums until the upgrade can be applied
- Restrict access to the Lychee instance to trusted networks only
- Convert password-protected public albums to private albums with user-based access controls instead
# Update Lychee to patched version
cd /path/to/lychee
git fetch origin
git checkout v7.1.0
composer install --no-dev
php artisan migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
