Description
immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.
Published: 2026-01-29
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via API Key Update
Action: Immediate Patch
AI Analysis

Impact

An authenticated API key can use the update endpoint to increase its own permission level to full administrative rights. This privilege escalation lets an attacker read, modify, or delete all stored media and system settings, undermining confidentiality, integrity, and availability of the immich deployment.

Affected Systems

The vulnerability affects the immich‑app photo and video management solution. Any installation running a version earlier than 2.5.0 is vulnerable, regardless of platform, including Docker deployments as indicated by the CPE record cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*.

Risk and Exploitability

The CVSS score of 7.2 signals high severity, yet the EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an existing API key; once a key is obtained, the attacker can call the update endpoint to grant themselves administrator access, potentially compromising the entire system.

Generated by OpenCVE AI on April 18, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade immich to version 2.5.0 or later to apply the security fix, re‑enabling the update endpoint restriction for API keys.
  • Revoke all existing API keys, generate new keys with the minimal required scopes, and publish them to authorized applications only.
  • Enable comprehensive logging of API calls and monitor for unexpected privilege changes or elevated key usage to detect abuse early.

Generated by OpenCVE AI on April 18, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Futo
Futo immich
CPEs cpe:2.3:a:immich:immich:*:*:*:*:*:docker:*:* cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*
Vendors & Products Immich
Immich immich
Futo
Futo immich

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Immich
Immich immich
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:immich:immich:*:*:*:*:*:docker:*:*
Vendors & Products Immich
Immich immich

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Immich-app
Immich-app immich
Vendors & Products Immich-app
Immich-app immich

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.
Title immich API Key Privilege Escalation vulnerability
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Futo Immich
Immich-app Immich
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:25:38.711Z

Reserved: 2026-01-16T21:02:02.903Z

Link: CVE-2026-23896

cve-icon Vulnrichment

Updated: 2026-01-29T21:25:33.128Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T18:16:14.970

Modified: 2026-04-15T18:55:12.210

Link: CVE-2026-23896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses