Open Redirect Vulnerability in Immich Photo Management Solution
CVE-2026-40096

5.1MEDIUM

Key Information:

Vendor: Immich-app
Status: Immich
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-40096?

Immich is a high-performance, self-hosted photo and video management solution that has a vulnerability affecting versions prior to 2.7.3. This open redirect issue exists within the shared album functionality, allowing attackers to exploit it by crafting a specially formatted album name that is inserted unsanitized into a tag. When users access the shared link, the renders the malicious code, redirecting the victim's browser to a site controlled by the attacker. This could lead to significant security risks, as unsuspecting users may be misled into providing login credentials on a fraudulent site designed to mimic the Immich interface. Users are encouraged to update to version 2.7.3 or later to mitigate this risk.

Affected Version(s)

immich < 2.7.3

References

https://github.com/immich-app/immich/security/advisories/...

x_refsource_CONFIRM

https://github.com/immich-app/immich/releases/tag/v2.7.3

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40096 Data

JSON

Immich-app

What is CVE-2026-40096?

Affected Version(s)

References

CVSS V4

Timeline