CVE-2026-23896
Privilege Escalation via API Key in immich Before
Publication date: 2026-01-29
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| futo | immich | to 2.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privilege API key to escalate its permissions to full administrative access, leading to complete account takeover and unrestricted access to all user data. This unauthorized access and potential data exposure could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. [1]
Can you explain this vulnerability to me?
This vulnerability in immich-server versions prior to 2.5.0 allows an API key with low privileges to escalate its own permissions by exploiting the update endpoint. Specifically, the update method in the API key service does not verify if the requesting API key has the authority to grant higher permissions. As a result, a low-privilege API key can grant itself full administrative access, bypassing intended permission checks. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with a low-privilege API key to escalate to full administrative access. This leads to complete account takeover, unrestricted access to all user data, and full control over administrative functions within the immich system, potentially compromising confidentiality, integrity, and availability of data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to update an API key's permissions via the immich server's API update endpoint and observing if a low-privilege API key can escalate its permissions without proper authorization. A practical approach is to use an HTTP client (e.g., curl) to send a PATCH or PUT request to the API key update endpoint on the immich server (default port 2283) with modified permissions set to "all". If the request succeeds and the API key gains elevated permissions, the vulnerability exists. Example command: curl -X PATCH http://<immich-server>:2283/api-keys/<api-key-id> -H "Authorization: Bearer <low-privilege-api-key>" -H "Content-Type: application/json" -d '{"permissions": "all"}' -v. A successful HTTP 200 or 201 response indicates the vulnerability. Additionally, attempts to perform previously forbidden actions (e.g., creating an album) before and after the update can confirm privilege escalation. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the immich-server to version 2.5.0 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict the creation and use of API keys with update permissions, especially limiting who can create API keys and monitor API key usage closely. Additionally, consider disabling or restricting access to the API key update endpoint if possible to prevent unauthorized privilege escalation. [1]