CVE-2026-25118
Credential Disclosure in Immich Shared Album Authentication via URL Parameters
Publication date: 2026-04-03
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| futo | immich | to 2.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Immich application prior to version 2.6.0. When a user authenticates to a shared album, the application sends the album password within the URL query parameters in a GET request to /api/shared-links/me.
Because the password is included in the URL, it can be exposed in browser history, proxy and server logs, and referrer headers. This leads to unintended disclosure of the authentication credentials.
How can this vulnerability impact me? :
This vulnerability can lead to the compromise of shared album access by exposing the album password to unintended parties.
As a result, unauthorized users may gain access to sensitive user data contained within the shared albums.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Immich application to version 2.6.0 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Immich involves the exposure of album passwords in URL query parameters during authentication to shared albums. This exposure can lead to unauthorized access to private album content and sensitive user data such as user identifiers and email addresses.
Such unauthorized disclosure of authentication credentials and personal data could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of authentication credentials.
The vulnerability increases the risk of data breaches through exposure in browser history, proxy and server logs, and referrer headers, which are areas typically required to be protected under these regulations.
The issue was addressed in version 2.6.0 by removing passwords from URLs and API responses and restricting asset removal permissions, thereby improving compliance with security best practices relevant to these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for GET requests to the endpoint /api/shared-links/me that include a password parameter in the URL query string. Such requests expose the album password in the URL, which should not occur.
A practical detection method is to capture and inspect HTTP requests to identify URLs containing the password parameter, for example using network packet capture tools or proxy logs.
Example commands to detect this vulnerability include:
- Using tcpdump to capture HTTP GET requests containing 'password' in the URL query string: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /api/shared-links/me?password='
- Using tshark to filter HTTP GET requests with the password parameter: tshark -Y 'http.request.method == "GET" && http.request.uri contains "password=" && http.request.uri contains "/api/shared-links/me"' -T fields -e http.request.full_uri
- Reviewing web server access logs for entries with the /api/shared-links/me endpoint and query parameters containing 'password='.
These methods help identify if the vulnerable versions of Immich are transmitting passwords in URLs, indicating exposure to CVE-2026-25118.