PT-2026-5311 · Immich · Immich
Darkamaul
·
Published
2026-01-29
·
Updated
2026-01-29
·
CVE-2026-23896
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
immich versions prior to 2.5.0
Description
immich is a self-hosted photo and video management solution. Prior to version 2.5.0, API keys could elevate their own permissions by utilizing the update endpoint. This allowed a low-privilege API key to gain full administrative access to the system. The vulnerable endpoint is
/api/v1/users/me and the vulnerable parameter is role.Recommendations
Update to version 2.5.0 or later.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Immich