A critical reflected XSS vulnerability in Immich allows attackers to compromise authenticated sessions and gain persistent unauthorized API access with a single link click.

The application fails to validate the continue query parameter on the /auth/login page, allowing an attacker to execute arbitrary JavaScript within the context of the user's session.

A CVSS score of 9.6 reflects the ease with which this vulnerability can be exploited to achieve full account takeover. By leveraging existing user sessions, an attacker can mint API keys that provide persistent, unauthorized access to the victim's media and personal data, leading to severe privacy and data integrity concerns.

Immediate Action: Update Immich to the latest version (post-commit 4eb1003) to ensure proper validation of URL redirects.

Proactive Monitoring: Review application access logs for suspicious URLs containing encoded JavaScript payloads in the continue parameter and monitor for the creation of new, unauthorized API keys.

Compensating Controls: Deploy a Content Security Policy (CSP) that restricts script execution and prevents the loading of unauthorized resources to mitigate the impact of XSS attacks.

Public Exploit Available: No

The risk of persistent account takeover via this XSS vulnerability is severe. All users of the affected versions should update their instances immediately and rotate any API keys created during the period of exposure.