CVE-2026-23896
Unknown Unknown - Not Provided
Privilege Escalation via API Key in immich Before

Publication date: 2026-01-29

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23896
EUVD
EUVD-2026-4957
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
futo immich to 2.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows a low-privilege API key to escalate its permissions to full administrative access, leading to complete account takeover and unrestricted access to all user data. This unauthorized access and potential data exposure could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. [1]

Executive Summary

This vulnerability in immich-server versions prior to 2.5.0 allows an API key with low privileges to escalate its own permissions by exploiting the update endpoint. Specifically, the update method in the API key service does not verify if the requesting API key has the authority to grant higher permissions. As a result, a low-privilege API key can grant itself full administrative access, bypassing intended permission checks. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with a low-privilege API key to escalate to full administrative access. This leads to complete account takeover, unrestricted access to all user data, and full control over administrative functions within the immich system, potentially compromising confidentiality, integrity, and availability of data. [1]

Detection Guidance

This vulnerability can be detected by attempting to update an API key's permissions via the immich server's API update endpoint and observing if a low-privilege API key can escalate its permissions without proper authorization. A practical approach is to use an HTTP client (e.g., curl) to send a PATCH or PUT request to the API key update endpoint on the immich server (default port 2283) with modified permissions set to "all". If the request succeeds and the API key gains elevated permissions, the vulnerability exists. Example command: curl -X PATCH http://<immich-server>:2283/api-keys/<api-key-id> -H "Authorization: Bearer <low-privilege-api-key>" -H "Content-Type: application/json" -d '{"permissions": "all"}' -v. A successful HTTP 200 or 201 response indicates the vulnerability. Additionally, attempts to perform previously forbidden actions (e.g., creating an album) before and after the update can confirm privilege escalation. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the immich-server to version 2.5.0 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict the creation and use of API keys with update permissions, especially limiting who can create API keys and monitor API key usage closely. Additionally, consider disabling or restricting access to the API key update endpoint if possible to prevent unauthorized privilege escalation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart