CVE-2026-33644 is a Server-Side Request Forgery (SSRF) vulnerability identified in Lychee, a free and open-source photo-management software. The vulnerability exists in the SSRF protection mechanism implemented in the file `PhotoUrlRule.php`. Specifically, the IP validation check (lines 86-89) only activates when the hostname is an IP address. When a domain name is provided, the function `filter_var($host, FILTER_VALIDATE_IP)` returns false, causing the IP validation logic to be skipped entirely. This allows attackers to exploit DNS rebinding techniques to bypass SSRF protections. DNS rebinding involves manipulating DNS responses so that a domain name resolves to different IP addresses, including internal network addresses, enabling attackers to coerce the server into making unauthorized requests to internal services or other restricted resources. The vulnerability affects all Lychee versions prior to 7.5.2, which includes the vulnerable SSRF protection code. The issue was published on March 26, 2026, and has a CVSS 4.0 base score of 2.3, reflecting a low severity due to the need for low privileges and partial attack complexity. No public exploits are known to exist at this time. The vulnerability is classified under CWE-918 (Server-Side Request Forgery). The patch in version 7.5.2 addresses this by correcting the validation logic to properly handle domain names and prevent bypass via DNS rebinding.

The primary impact of this SSRF vulnerability is that an attacker with low privileges on a vulnerable Lychee installation can coerce the server to send unauthorized HTTP requests to arbitrary internal or external systems. This can lead to information disclosure if internal services respond with sensitive data, or enable further attacks such as port scanning, accessing metadata services in cloud environments, or interacting with internal APIs not exposed externally. However, the overall impact is limited by the low CVSS score, indicating that exploitation requires some level of access (likely authenticated user or low privilege) and that the vulnerability does not directly lead to remote code execution or full system compromise. Organizations running Lychee in environments with sensitive internal networks or cloud metadata services are at higher risk. The vulnerability could be leveraged as part of a multi-stage attack chain but is unlikely to cause immediate critical damage on its own.

The primary mitigation is to upgrade Lychee to version 7.5.2 or later, where the SSRF protection logic has been corrected to properly validate domain names and prevent DNS rebinding bypass. Until upgrading is possible, organizations should implement network-level controls such as restricting outbound HTTP requests from the Lychee server to only trusted destinations, using firewall rules or proxy whitelisting. Additionally, internal services that could be targeted by SSRF should enforce strong authentication and authorization to limit the impact of unauthorized requests. Monitoring and logging outbound requests from Lychee can help detect suspicious activity indicative of SSRF exploitation attempts. Developers and administrators should also review any custom plugins or integrations that might bypass standard request validation. Finally, educating users about the risks of SSRF and applying the principle of least privilege to Lychee user accounts can reduce the attack surface.