{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23896", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T21:02:02.903Z", "datePublished": "2026-01-29T17:12:43.543Z", "dateUpdated": "2026-01-29T21:25:38.711Z"}, "containers": {"cna": {"title": "immich API Key Privilege Escalation vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv"}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"version": "< 2.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T17:12:43.543Z"}, "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue."}], "source": {"advisory": "GHSA-237r-x578-h5mv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T21:25:28.260765Z", "id": "CVE-2026-23896", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:25:38.711Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23896", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-29T21:25:28.260765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:25:33.128Z"}}], "cna": {"title": "immich API Key Privilege Escalation vulnerability", "source": {"advisory": "GHSA-237r-x578-h5mv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"status": "affected", "version": "< 2.5.0"}]}], "references": [{"url": "https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv", "name": "https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T17:12:43.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23896", "state": "PUBLISHED", "dateUpdated": "2026-01-29T21:25:38.711Z", "dateReserved": "2026-01-16T21:02:02.903Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T17:12:43.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*", "matchCriteriaId": "6A876FF0-015E-48C7-8319-4E23ACC5F6F2", "versionEndExcluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue."}, {"lang": "es", "value": "immich es una soluci\u00f3n de gesti\u00f3n de fotos y videos autoalojada de alto rendimiento. Antes de la versi\u00f3n 2.5.0, las claves API pueden escalar sus propios permisos al llamar al endpoint de actualizaci\u00f3n, permitiendo que una clave API de bajo privilegio se otorgue acceso administrativo completo al sistema. La versi\u00f3n 2.5.0 corrige el problema."}], "id": "CVE-2026-23896", "lastModified": "2026-04-15T18:55:12.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-29T18:16:14.970", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:24:30.796996+00:00", "value": {"mitigation_remediation": ["Upgrade immich to version 2.5.0 or later to apply the security fix, re\u2011enabling the update endpoint restriction for API keys.", "Revoke all existing API keys, generate new keys with the minimal required scopes, and publish them to authorized applications only.", "Enable comprehensive logging of API calls and monitor for unexpected privilege changes or elevated key usage to detect abuse early."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via API Key Update"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the immich\u2011app photo and video management solution. Any installation running a version earlier than 2.5.0 is vulnerable, regardless of platform, including Docker deployments as indicated by the CPE record cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*.", "description_and_impact": "An authenticated API key can use the update endpoint to increase its own permission level to full administrative rights. This privilege escalation lets an attacker read, modify, or delete all stored media and system settings, undermining confidentiality, integrity, and availability of the immich deployment.", "risk_and_exploitability": "The CVSS score of 7.2 signals high severity, yet the EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an existing API key; once a key is obtained, the attacker can call the update endpoint to grant themselves administrator access, potentially compromising the entire system."}}}}, "created": "2026-01-30T08:42:50.357062+00:00", "updated": "2026-04-18T01:30:16.042857+00:00", "vendors": ["immich-app", "immich-app$PRODUCT$immich"]}