Skip to main content

immich CVE-2026-59258

| EUVDEUVD-2026-44755 HIGH
Incorrect Authorization (CWE-863)
2026-07-15 VulnCheck GHSA-mxpm-jvrh-gcj5
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network endpoint reachable with low complexity, but attacker needs existing editor grant (PR:L); ownership seizure plus deletion/eviction yields high integrity and availability, low confidentiality impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 17:48 vuln.today
Analysis Generated
Jul 15, 2026 - 17:48 vuln.today
CVE Published
Jul 15, 2026 - 17:03 cve.org
HIGH 7.2

DescriptionCVE.org

immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owner in sequential requests, gaining full control including deletion and eviction capabilities.

AnalysisAI

Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner by abusing the PUT /albums/:id/user/:userId endpoint (CWE-863, Incorrect Authorization). Because the endpoint fails to enforce owner-only restrictions on role changes, an editor can demote the legitimate owner and promote themselves across two sequential requests, gaining deletion and member-eviction control over the album and its assets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain editor access to shared album
Exploit
Call PUT /albums/:id/user/:userId to demote owner
Execution
Send second request promoting self to owner
Impact
Delete album or evict original owner

Vulnerability AssessmentAI

Exploitation The attacker must already hold editor-level access on a shared album belonging to the victim (PR:L) - i.e., the owner must have previously shared an album and granted the attacker the editor role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H) rates this 7.2 (High): network-reachable, low complexity, no user interaction, but requiring low privileges - the attacker must already be an invited editor on a shared album. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker is invited as an editor to a victim's shared album. Using the documented PUT /albums/:id/user/:userId behavior, they send one request demoting the album owner to editor, then a second request promoting their own account to owner - after which they can delete the album, evict the original owner, and control all shared assets. …
Remediation Vendor-released patch: upgrade immich to v3.0.3 or later (https://github.com/immich-app/immich/releases/tag/v3.0.3), which merges the owner-only enforcement fix in PR #29883 (commit 84dff19ca9a467752d848ff54763d62c04ebf960). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Immich deployments and confirm current versions against v3.0.3; flag any instances running pre-3.0.3 as requiring urgent patching. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy