CVE-2026-40096
Received Received - Intake
Open Redirect in Immich Shared Album Enables Phishing

Publication date: 2026-04-15

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a shared album with a crafted name containing 0;url=https://attackersite.com" http-equiv="refresh, which when rendered in the <meta property="og:title"> tag causes the victim's browser to redirect to an attacker-controlled site upon opening the share link. This facilitates phishing attacks, as the attacker could host a modified version of immich that collects login credentials from victims who believe they need to authenticate to view the shared album. This issue has been fixed in version 2.7.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40096
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
futo immich to 2.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40096 is an open redirect vulnerability in immich, a self-hosted photo and video management solution. The issue exists in versions prior to 2.7.3 in the shared album functionality, where the album name is inserted without proper sanitization into a meta tag in the application's code.

A registered attacker can create a shared album with a specially crafted name containing malicious meta refresh content. When a victim opens the shared album link, their browser is automatically redirected to an attacker-controlled website. This happens because the album name is directly injected into the HTML meta tag without encoding, enabling the injection of a meta refresh tag that triggers the redirect.

This vulnerability facilitates phishing attacks by redirecting victims to fake login pages hosted by attackers, potentially stealing user credentials. The issue was fixed in immich version 2.7.3.

Impact Analysis

This vulnerability can impact you by enabling attackers to perform phishing attacks through malicious redirection.

  • An attacker who is a registered user can create a shared album with a crafted name that causes victims to be redirected to a malicious website.
  • Victims who open the shared album link may be redirected without warning to attacker-controlled sites that can mimic legitimate login pages.
  • This can lead to theft of login credentials or other sensitive information.

The vulnerability has a moderate severity score (CVSS 5.1) and requires the attacker to have low privileges (registered user) and the victim to interact by opening the shared link.

Detection Guidance

This vulnerability can be detected by attempting to create a shared album with a specially crafted name containing a meta refresh tag, such as `0;url=https://example.com" http-equiv="refresh`. After sharing the album link, opening it in a browser should be tested to see if it causes an automatic redirect to the specified external site.

A practical detection method involves verifying if the album name is unsanitized in the HTML meta tag by inspecting the page source or using web debugging tools to observe if the meta refresh tag is injected.

No specific command-line tools or commands are provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

The immediate mitigation step is to upgrade immich-server to version 2.7.3 or later, where the vulnerability has been fixed by properly encoding user input in the meta tags to prevent injection of malicious content.

If upgrading immediately is not possible, avoid sharing albums with untrusted users or with album names that could contain malicious content, and educate users to be cautious when opening shared album links.

The underlying fix involves encoding user input with HTML entities (e.g., converting `"` to `&quot;`) to prevent injection of meta refresh tags that cause redirection.

Compliance Impact

The vulnerability allows an attacker to perform phishing attacks by redirecting users to attacker-controlled sites that can steal login credentials. This can lead to unauthorized access to user accounts and potentially expose personal data.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and preventing unauthorized access.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart