CVE-2026-33537 is a medium-severity SSRF vulnerability identified in Lychee, a popular open-source photo-management application. The vulnerability stems from an incomplete fix for a prior SSRF flaw (GHSA-cpgw-wgf3-xc6v) in the `Photo::fromUrl` function, where the IP validation logic fails to block loopback (e.g., 127.0.0.1) and link-local addresses (e.g., 169.254.0.0/16). This allows an authenticated user to craft requests that bypass all four protection configuration settings, even when set to their secure defaults, to reach internal services directly by IP address. Since SSRF vulnerabilities enable attackers to make the server perform unauthorized requests, this can lead to unauthorized access to internal network resources, potentially exposing sensitive data or enabling further attacks such as internal port scanning or exploitation of internal services. The vulnerability requires authentication but no user interaction beyond that, and the attack vector is network-based with low attack complexity. The issue affects all Lychee versions prior to 7.5.1, which contains the corrected IP validation logic. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a significant risk for deployments exposing Lychee to untrusted authenticated users.

This SSRF vulnerability can allow authenticated attackers to bypass network segmentation and access internal services that are otherwise protected from external access. Potential impacts include unauthorized access to sensitive internal APIs, databases, or administrative interfaces, leading to data leakage or further compromise of internal systems. Since Lychee is often deployed in environments managing private photo collections, the exposure of internal services could also lead to privacy violations or data integrity issues. The vulnerability could be leveraged to pivot attacks deeper into an organization's network, increasing the attack surface. Although exploitation requires authentication, many organizations have multiple users with access to Lychee, increasing the risk. The medium CVSS score reflects moderate impact and ease of exploitation, but the actual impact depends on the internal network architecture and the sensitivity of internal services accessible via SSRF.

The primary mitigation is to upgrade Lychee to version 7.5.1 or later, which contains the fixed IP validation logic that blocks loopback and link-local addresses effectively. Until upgrading, organizations should restrict access to Lychee to trusted users only and limit network access from the Lychee server to internal services, implementing strict egress filtering and network segmentation to prevent SSRF exploitation. Additionally, administrators should review and harden internal services to require strong authentication and authorization, minimizing the impact if SSRF is exploited. Monitoring logs for unusual internal requests originating from Lychee can help detect exploitation attempts. Implementing Web Application Firewalls (WAFs) with SSRF detection rules may provide additional protection. Finally, educating users about the risks of uploading or linking to untrusted URLs can reduce attack vectors.