Account Hijacking Vulnerability in Immich by Immich Inc.
CVE-2025-43856

7.3HIGH

Key Information:

Vendor: Immich-app
Status: Immich
Vendor: CVE Published:; 11 July 2025

What is CVE-2025-43856?

Immich, a self-hosted photo and video management solution, is vulnerable to account hijacking due to inadequate validation of the oauth2 state parameter. This vulnerability allows attackers to exploit the OAuth2 login flow by embedding malicious code that can authenticate victims against the attacker's own account. When a user initiates the login process, an unpredictable state parameter is generated and stored in the browser session. If the user is already logged into immich, this can lead to automatic account linking without proper user verification, enabling attackers to access victims' accounts. The issue is resolved in version 1.132.0.

Affected Version(s)

immich < 1.132.0

References

https://github.com/immich-app/immich/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2025
Vulnerability Reserved
Apr 17, 2025

Immich-app

What is CVE-2025-43856?

Affected Version(s)

References

CVSS V4

Timeline