Credential Disclosure Vulnerability in Immich Photo Management Solution
CVE-2026-25118

6.3MEDIUM

Key Information:

Vendor

Immich-app

Status
Immich
Vendor
CVE Published:
3 April 2026

What is CVE-2026-25118?

The Immich photo and video management application has a critical flaw that leads to credential disclosure during the user authentication process to shared albums. Prior to version 2.6.0, the application mistakenly transmits album passwords through URL query parameters as part of a GET request. This design flaw makes sensitive data visible in browser histories, server logs, and referrer headers, significantly increasing the risk of unauthorized access to shared albums and sensitive user information. Version 2.6.0 addresses this issue, reinforcing the necessary security measures to protect user credentials.

Affected Version(s)

immich < 2.6.0

References

https://github.com/immich-app/immich/security/advisories/...
x_refsource_CONFIRM
https://github.com/immich-app/immich/pull/26868
x_refsource_MISC
https://github.com/immich-app/immich/pull/26886
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.