CVE-2026-23896
📋 TL;DR
This vulnerability allows low-privilege API keys in Immich to escalate their own permissions by calling the update endpoint, granting themselves full administrative access. It affects all Immich installations prior to version 2.5.0 where API keys are used. Users with self-hosted Immich instances are at risk.
💻 Affected Systems
- immich
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with any API key can gain full administrative control over the Immich instance, allowing them to view, modify, or delete all photos/videos, create new users, and potentially access the underlying server.
Likely Case
Malicious users or compromised low-privilege API keys escalate to admin privileges, leading to unauthorized access to sensitive media and system configuration.
If Mitigated
If proper network segmentation and API key management are in place, impact is limited to the Immich application data only.
🎯 Exploit Status
Exploitation requires a valid API key (any privilege level). The vulnerability is in the API endpoint logic, making exploitation straightforward once an API key is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.0
Vendor Advisory: https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv
Restart Required: Yes
Instructions:
1. Backup your Immich database and media files. 2. Update Immich to version 2.5.0 or later using your deployment method (Docker, manual, etc.). 3. Restart the Immich services. 4. Regenerate all API keys as a precaution.
🔧 Temporary Workarounds
Disable API Key Usage
allTemporarily disable all API key authentication until patched
Modify Immich configuration to disable API key endpoints or restrict network access to API endpoints
Network Restriction
linuxRestrict access to Immich API endpoints to trusted IPs only
Use firewall rules to limit access to Immich ports (e.g., 2283) to specific IP addresses
🧯 If You Can't Patch
- Rotate all API keys immediately and monitor for suspicious activity
- Implement strict network segmentation to isolate Immich from other critical systems
🔍 How to Verify
Check if Vulnerable:
Check your Immich version. If it's below 2.5.0 and you use API keys, you are vulnerable.Check Version:
docker exec immich-server node -e "console.log(require('/usr/src/app/package.json').version)" or check Immich web interface settingsVerify Fix Applied:
After updating, verify the version is 2.5.0 or higher and test that API keys cannot modify their own permissions via the update endpoint.📡 Detection & Monitoring
Log Indicators:
- API calls to permission update endpoints from low-privilege API keys
- Unusual permission changes in audit logs
Network Indicators:
- Multiple PATCH/PUT requests to /api/keys/* endpoints from single API key
SIEM Query:
source="immich" AND (url_path="/api/keys/" AND method="PATCH")