Access Control Flaw in Immich Affects Album Permissions
CVE-2026-59258
Key Information:
- Vendor
Immich-app
- Status
- Vendor
- CVE Published:
- 15 July 2026
Badges
What is CVE-2026-59258?
Immich versions before 3.0.3 are susceptible to a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint. This issue allows users with editor access to improperly alter member roles within shared albums, enabling them to demote the actual album owner to an editor position while promoting themselves to the owner role. Consequently, attackers can gain extensive control over album management, including the ability to delete or evict members.
Affected Version(s)
immich 0 < 3.0.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
