VYPR
Unrated severityOSV Advisory· Published Jan 12, 2026· Updated Jan 12, 2026

Lychee cross-album password propagation on Album unlocking

CVE-2026-22784

Description

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lycheeorg/LycheeOSV2 versions
    v4.0.0, v4.0.0-alpha.1, v4.0.0-beta.1, …+ 1 more
    • (no CPE)range: v4.0.0, v4.0.0-alpha.1, v4.0.0-beta.1, …
    • (no CPE)range: <7.1.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.