CVE-2026-59258

immich-app · immich

Immich is susceptible to an incorrect authorization vulnerability that allows authenticated users to perform unauthorized actions on shared albums.

Executive summary

An authorization flaw in Immich allows authenticated users to escalate privileges and perform unauthorized ownership takeovers of shared albums.

Vulnerability

The application is affected by incorrect authorization (CWE-863), which permits a low-privileged authenticated user to manipulate album ownership via the updateUser function.

Business impact

With a CVSS score of 8.3, this vulnerability presents a high risk of unauthorized data access and manipulation. Exploitation could allow malicious actors to seize control of private or shared media collections, leading to the exposure of sensitive personal information and potential loss of data control.

Remediation

Immediate Action: Update the Immich application to version 3.0.3 or later to apply the necessary authorization checks.

Proactive Monitoring: Monitor user logs for unexpected changes in album ownership or administrative actions performed by non-administrative accounts.

Compensating Controls: Restrict access to the application instance to trusted users only and employ Web Application Firewalls (WAF) to detect and block suspicious API calls related to user management.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

The existence of a proof-of-concept makes this vulnerability an immediate concern despite the requirement for authentication. Administrators should prioritize patching to version 3.0.3 to prevent potential data breaches within their media management environment.