Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.
AnalysisAI
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.
Technical ContextAI
Immich is a self-hosted photo and video management application that implements shared album functionality with optional password protection. The vulnerability stems from CWE-598 (Use of GET Request with Sensitive Query Strings), a common HTTP protocol misuse pattern. When users authenticate to a password-protected shared album, the application passes the album password as a query parameter in a GET request rather than via POST request body or HTTP headers. GET request parameters are logged by default in browser history, HTTP proxy logs, reverse proxy/load balancer logs, and transmitted in the Referer header to external sites, violating the principle of transmitting credentials only through secure channels. The affected CPE range is cpe:2.3:a:immich-app:immich:*:*:*:*:*:*:*:* prior to version 2.6.0.
RemediationAI
Upgrade Immich to version 2.6.0 or later, which remediates the vulnerability by transmitting album passwords via secure HTTP POST request body or authenticated headers rather than GET query parameters. Vendor-released patch: v2.6.0 (confirmed via https://github.com/immich-app/immich/releases/tag/v2.6.0). For installations unable to update immediately, implement compensating controls: (1) restrict access to server logs and reverse proxy logs to minimize credential exposure in log files, (2) enforce HTTPS throughout the stack to prevent referrer header leakage over unencrypted channels, (3) configure log retention policies to minimize the window of password exposure in archived logs, and (4) rotate shared album passwords in existing deployments as a precautionary measure. The upstream fix is documented in pull requests #26868 and #26886, which detail the migration from GET to POST request handling for authentication endpoints.
Immich versions prior to 2.5.0 contain an improper access control flaw that allows any authenticated API key to escalate
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner
Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover o
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18756