Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network endpoint reachable with low complexity, but attacker needs existing editor grant (PR:L); ownership seizure plus deletion/eviction yields high integrity and availability, low confidentiality impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owner in sequential requests, gaining full control including deletion and eviction capabilities.
AnalysisAI
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner by abusing the PUT /albums/:id/user/:userId endpoint (CWE-863, Incorrect Authorization). Because the endpoint fails to enforce owner-only restrictions on role changes, an editor can demote the legitimate owner and promote themselves across two sequential requests, gaining deletion and member-eviction control over the album and its assets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already hold editor-level access on a shared album belonging to the victim (PR:L) - i.e., the owner must have previously shared an album and granted the attacker the editor role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H) rates this 7.2 (High): network-reachable, low complexity, no user interaction, but requiring low privileges - the attacker must already be an invited editor on a shared album. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker is invited as an editor to a victim's shared album. Using the documented PUT /albums/:id/user/:userId behavior, they send one request demoting the album owner to editor, then a second request promoting their own account to owner - after which they can delete the album, evict the original owner, and control all shared assets. … |
| Remediation | Vendor-released patch: upgrade immich to v3.0.3 or later (https://github.com/immich-app/immich/releases/tag/v3.0.3), which merges the owner-only enforcement fix in PR #29883 (commit 84dff19ca9a467752d848ff54763d62c04ebf960). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Immich deployments and confirm current versions against v3.0.3; flag any instances running pre-3.0.3 as requiring urgent patching. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Immich versions prior to 2.5.0 contain an improper access control flaw that allows any authenticated API key to escalate
Reflected cross-site scripting in Immich (commits 4ffa26c9 through pre-4eb1003) allows a single-click account takeover o
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentic
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44755
GHSA-mxpm-jvrh-gcj5