CVE-2026-33537 Overview
CVE-2026-33537 is a Server-Side Request Forgery (SSRF) vulnerability in Lychee, a free, open-source photo-management tool. The vulnerability exists because a patch previously introduced to address GHSA-cpgw-wgf3-xc6v (SSRF via Photo::fromUrl) contains an incomplete IP validation check that fails to properly block loopback addresses and link-local addresses.
Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. This represents a bypass of existing security controls, allowing attackers to probe internal network infrastructure and potentially access sensitive internal services.
Critical Impact
Authenticated attackers can bypass SSRF protections to access internal services and network resources, potentially exposing sensitive data or enabling further attacks against internal infrastructure.
Affected Products
- Lychee versions prior to 7.5.1
- Lychee installations using the Photo::fromUrl functionality
- Self-hosted Lychee deployments with internal network access
Discovery Timeline
- 2026-03-26 - CVE-2026-33537 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33537
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The root issue stems from an incomplete security fix that was meant to prevent SSRF attacks through the photo import functionality. While the original patch attempted to validate and block requests to internal IP addresses, the implementation failed to account for certain IP address formats that resolve to loopback (127.0.0.0/8) and link-local (169.254.0.0/16) addresses.
The attack can be executed over the network by an authenticated user with low privilege requirements. No user interaction is required to exploit this vulnerability, making it particularly concerning for multi-user Lychee deployments.
Root Cause
The vulnerability exists due to an incomplete IP address validation implementation in the Photo::fromUrl function. The original security patch introduced for GHSA-cpgw-wgf3-xc6v did not comprehensively cover all representations of internal IP addresses. Attackers can use alternative IP address notations or encodings to bypass the validation logic and force the server to make requests to internal network resources.
The four protection configuration settings designed to prevent SSRF are ineffective against this bypass technique, even when configured to their most restrictive defaults.
Attack Vector
The attack vector involves an authenticated user submitting a specially crafted URL through the photo import functionality. By using direct IP address formats that the validation logic fails to recognize as internal addresses, the attacker can:
- Access internal services running on the same host (loopback addresses)
- Probe link-local network services (169.254.x.x addresses)
- Potentially access cloud metadata services in cloud-hosted deployments
- Map internal network topology through response timing or error messages
The security patch updated the base Docker image and addressed the loopback edge case:
# ============================================================================
# Stage 3: Production FrankenPHP Image
# ============================================================================
-FROM dunglas/frankenphp:php8.5-trixie@sha256:7315062106fd2ee885d884072e3335f59e25a3abc34de0a03e102604ab73b4d0
+FROM dunglas/frankenphp:php8.5-trixie@sha256:93dcc4f16e01f0bc8e9d752bb19559cba4a23c14c9fd7ab825538fb432cd91ed
ARG USER=appuser
Source: GitHub Commit Details
Detection Methods for CVE-2026-33537
Indicators of Compromise
- Unusual requests through Photo::fromUrl targeting internal IP ranges (127.x.x.x, 169.254.x.x)
- Photo import attempts with URLs containing IP addresses instead of domain names
- Server logs showing outbound connections to internal services from the Lychee application
- Increased error rates in photo import functionality when targeting non-existent internal endpoints
Detection Strategies
- Monitor web application logs for photo import requests containing IP addresses in URL parameters
- Implement network-level monitoring to detect outbound connections from the Lychee server to internal services
- Review authentication logs for users repeatedly attempting imports with suspicious URLs
- Deploy web application firewall rules to flag requests containing internal IP address patterns
Monitoring Recommendations
- Enable verbose logging for the Photo::fromUrl functionality to capture all import attempts
- Set up alerts for network connections from the Lychee server to internal IP ranges
- Monitor for unusual patterns in photo import success/failure rates that may indicate reconnaissance activity
- Implement egress filtering and log all outbound connections from the application server
How to Mitigate CVE-2026-33537
Immediate Actions Required
- Upgrade Lychee to version 7.5.1 or later immediately
- Audit user accounts with photo import permissions and restrict access where possible
- Review application logs for evidence of exploitation attempts
- Implement network segmentation to limit the impact of SSRF attacks from the Lychee server
Patch Information
The vulnerability has been fixed in Lychee version 7.5.1. The patch addresses the incomplete IP validation by properly blocking loopback and link-local addresses. The fix is available in commit 41386677681d18cd04e42a35b50bd88bf53a4a6a.
For detailed information about the vulnerability and remediation, refer to the GitHub Security Advisory.
Workarounds
- Restrict the photo import feature to trusted administrators only until patching is possible
- Implement network-level egress filtering to prevent the Lychee server from connecting to internal IP ranges
- Deploy a web application firewall to block requests containing internal IP addresses in URL parameters
- Consider temporarily disabling the Photo::fromUrl functionality if not critical to operations
# Network-level mitigation: Block outbound connections to internal ranges from the Lychee server
# Example iptables rules (adjust interface and container names as needed)
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner www-data -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
