Permalink
CVE-2026-23896
7.2 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @jopejoe1 Activity log
- Created automatic suggestion
-
@jopejoe1
removed
8 packages
- immich-go
- immich-cli
- immich-kiosk
- immich-public-proxy
- python312Packages.aioimmich
- python313Packages.aioimmich
- gnomeExtensions.immich-wallpaper
- home-assistant-component-tests.immich
immich API Key Privilege Escalation vulnerability
immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.
References
- https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv x_refsource_CONFIRM
Affected products
immich
- ==< 2.5.0
Matching in nixpkgs
pkgs.immich
Self-hosted photo and video backup solution
pkgs.immich-machine-learning
Self-hosted photo and video backup solution (machine learning component)
pkgs.pkgsRocm.immich-machine-learning
Self-hosted photo and video backup solution (machine learning component)
Package maintainers
-
@titaniumtown Simon Gardling <titaniumtown@proton.me>
-
@Scrumplex Sefa Eyeoglu <contact@scrumplex.net>
-
@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>