CVE-2026-22784 is an authorization vulnerability classified under CWE-863 (Incorrect Authorization) found in Lychee, a free and open-source photo-management application. The vulnerability exists in versions prior to 7.1.0 and relates to the album password unlock functionality. When a user successfully unlocks a password-protected public album, the system erroneously unlocks all other public albums that share the same password. This behavior results in an authorization bypass, allowing users to access albums they should not be authorized to view. The vulnerability does not require the user to have any privileges or prior authentication but does require user interaction to unlock at least one album. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low confidentiality impact (VC:L), with no impact on integrity or availability. No known exploits have been reported in the wild. The issue was publicly disclosed on January 12, 2026, and fixed in Lychee version 7.1.0. The root cause is the shared password mechanism that treats all albums with the same password as unlocked once one is accessed, violating proper authorization checks. This can lead to unauthorized disclosure of private photo albums, potentially exposing sensitive or personal information.

For European organizations using Lychee to manage photo collections, this vulnerability could lead to unauthorized disclosure of sensitive or private images stored in password-protected albums. Although the impact is limited to confidentiality and does not affect data integrity or system availability, unauthorized access to private media can have privacy, reputational, and compliance implications, especially under GDPR regulations. Organizations that use Lychee for internal or customer-facing photo management services may face data privacy breaches if attackers exploit this flaw. The requirement for user interaction reduces the risk of automated exploitation, but insider threats or social engineering could facilitate unauthorized access. Since the vulnerability affects only albums sharing the same password, reuse of passwords across multiple albums increases the scope of exposure. The low CVSS score reflects the limited severity, but the privacy impact can still be significant depending on the nature of the photos stored.

The primary mitigation is to upgrade Lychee installations to version 7.1.0 or later, where the authorization bypass is fixed. Until upgrades are applied, organizations should audit their album password policies to ensure unique passwords are used per album to minimize the risk of mass unauthorized access. Administrators should educate users about the risks of password reuse across albums. Additionally, consider disabling public album password protection if not strictly necessary or implement alternative access control mechanisms. Monitoring access logs for unusual unlocking patterns can help detect potential exploitation attempts. Organizations should also review their data privacy policies and ensure that any exposed data is handled in compliance with GDPR and other relevant regulations. Finally, maintain awareness of any future exploit reports or patches related to this vulnerability.