CVE-2026-22784

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-22784

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22784.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-22784

Aliases

GHSA-jj56-2c54-4f25

Published

2026-01-12T18:37:55.183Z

Modified

2026-01-12T19:56:22.264828Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Lychee cross-album password propagation on Album unlocking

Details

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22784.json",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/lycheeorg/lychee

Affected ranges

Type

GIT

Repo

https://github.com/lycheeorg/lychee

Events

Introduced

Fixed

7dc664005b0058316e0ab7b6b2a0729b9ec13286

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.1.0"
        }
    ]
}

Affected versions

v4.*

v4.0.0

v4.0.0-alpha.1

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.1.0

v4.10.0

v4.11.0

v4.11.1

v4.12.0

v4.13.0

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.4

v4.3.5

v4.3.6

v4.4.0

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.6.0

v4.6.0-RC

v4.6.0-RC2

v4.6.0-RC3

v4.6.1

v4.6.1-RC1

v4.6.1-RC2

v4.6.2

v4.6.2-RC1

v4.6.2-RC2

v4.6.3-RC1

v4.6.4

v4.6.5

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.8.0

v4.8.1

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.3-RC

v4.9.4

v5.*

v5.0.0

v5.0.0-beta

v5.0.1

v5.0.2

v5.0.3

v5.1.0

v5.1.1

v5.1.2

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.3.1

v5.4.0

v5.5.0

v5.5.1

v6.*

v6.0.0

v6.0.1

v6.1.0

v6.1.1

v6.1.2

v6.10.0

v6.10.1

v6.10.2

v6.10.3

v6.10.4

v6.2.0

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.4.0

v6.4.1

v6.4.2

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7.0

v6.7.1

v6.7.2

v6.8.0

v6.8.1

v6.9.0

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v7.*

v7.0.0

v7.0.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22784.json"