CVE-2026-25118

Name of the Vulnerable Software and Affected Versions imich versions prior to 2.6.0

Description Prior to version 2.6.0, the Immich application discloses credentials when a user authenticates to a shared album. The application transmits the album password within the URL query parameters in a GET request to the /api/shared-links/me endpoint. This exposes the password in browser history, proxy logs, server logs, and referrer headers, potentially leading to unauthorized access to shared albums and exposure of user data.

Recommendations Update to version 2.6.0 or later.