CVE-2026-23896
Unknown Unknown - Not Provided

Privilege Escalation via API Key in immich Before

Vulnerability report for CVE-2026-23896, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-29

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-29
Last Modified
2026-04-15
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
futo immich to 2.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in immich-server versions prior to 2.5.0 allows an API key with low privileges to escalate its own permissions by exploiting the update endpoint. Specifically, the update method in the API key service does not verify if the requesting API key has the authority to grant higher permissions. As a result, a low-privilege API key can grant itself full administrative access, bypassing intended permission checks. [1]

Compliance Impact

The vulnerability allows a low-privilege API key to escalate its permissions to full administrative access, leading to complete account takeover and unrestricted access to all user data. This unauthorized access and potential data exposure could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with a low-privilege API key to escalate to full administrative access. This leads to complete account takeover, unrestricted access to all user data, and full control over administrative functions within the immich system, potentially compromising confidentiality, integrity, and availability of data. [1]

Detection Guidance

This vulnerability can be detected by attempting to update an API key's permissions via the immich server's API update endpoint and observing if a low-privilege API key can escalate its permissions without proper authorization. A practical approach is to use an HTTP client (e.g., curl) to send a PATCH or PUT request to the API key update endpoint on the immich server (default port 2283) with modified permissions set to "all". If the request succeeds and the API key gains elevated permissions, the vulnerability exists. Example command: curl -X PATCH http://<immich-server>:2283/api-keys/<api-key-id> -H "Authorization: Bearer <low-privilege-api-key>" -H "Content-Type: application/json" -d '{"permissions": "all"}' -v. A successful HTTP 200 or 201 response indicates the vulnerability. Additionally, attempts to perform previously forbidden actions (e.g., creating an album) before and after the update can confirm privilege escalation. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the immich-server to version 2.5.0 or later, where this vulnerability is fixed. Until the upgrade is applied, restrict the creation and use of API keys with update permissions, especially limiting who can create API keys and monitor API key usage closely. Additionally, consider disabling or restricting access to the API key update endpoint if possible to prevent unauthorized privilege escalation. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart