Can you explain this vulnerability to me?

CVE-2026-40096 is an open redirect vulnerability in immich, a self-hosted photo and video management solution. The issue exists in versions prior to 2.7.3 in the shared album functionality, where the album name is inserted without proper sanitization into a meta tag in the application's code.

A registered attacker can create a shared album with a specially crafted name containing malicious meta refresh content. When a victim opens the shared album link, their browser is automatically redirected to an attacker-controlled website. This happens because the album name is directly injected into the HTML meta tag without encoding, enabling the injection of a meta refresh tag that triggers the redirect.

This vulnerability facilitates phishing attacks by redirecting victims to fake login pages hosted by attackers, potentially stealing user credentials. The issue was fixed in immich version 2.7.3.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by enabling attackers to perform phishing attacks through malicious redirection.

• An attacker who is a registered user can create a shared album with a crafted name that causes victims to be redirected to a malicious website.
• Victims who open the shared album link may be redirected without warning to attacker-controlled sites that can mimic legitimate login pages.
• This can lead to theft of login credentials or other sensitive information.

The vulnerability has a moderate severity score (CVSS 5.1) and requires the attacker to have low privileges (registered user) and the victim to interact by opening the shared link.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to create a shared album with a specially crafted name containing a meta refresh tag, such as `0;url=https://example.com" http-equiv="refresh`. After sharing the album link, opening it in a browser should be tested to see if it causes an automatic redirect to the specified external site.

A practical detection method involves verifying if the album name is unsanitized in the HTML meta tag by inspecting the page source or using web debugging tools to observe if the meta refresh tag is injected.

No specific command-line tools or commands are provided in the available resources to detect this vulnerability automatically.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade immich-server to version 2.7.3 or later, where the vulnerability has been fixed by properly encoding user input in the meta tags to prevent injection of malicious content.

If upgrading immediately is not possible, avoid sharing albums with untrusted users or with album names that could contain malicious content, and educate users to be cautious when opening shared album links.

The underlying fix involves encoding user input with HTML entities (e.g., converting `"` to `"`) to prevent injection of meta refresh tags that cause redirection.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to perform phishing attacks by redirecting users to attacker-controlled sites that can steal login credentials. This can lead to unauthorized access to user accounts and potentially expose personal data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards.

Useful 0 Not Useful 0