CVE-2026-23896

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23896

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23896.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-23896

Aliases

GHSA-237r-x578-h5mv

Published

2026-01-29T17:12:43.543Z

Modified

2026-01-30T02:35:02.303234Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

immich API Key Privilege Escalation vulnerability

Details

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23896.json",
    "cwe_ids": [
        "CWE-269"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/immich-app/immich

Affected ranges

Type

GIT

Repo

https://github.com/immich-app/immich

Events

Introduced

Fixed

6fd3c9fffaf931206018a54494bc269c093bb414

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.0"
        }
    ]
}

Affected versions

Other

first-android-release

v0.*

v0.2-dev

v0.3-dev

v0.4-dev

v0.5-dev

v0.6-dev

v1.*

v1.10.0_15-dev

v1.100.0

v1.101.0

v1.102.0

v1.102.1

v1.102.2

v1.102.3

v1.103.0

v1.103.1

v1.104.0

v1.105.0

v1.105.1

v1.106.0

v1.106.1

v1.106.2

v1.106.3

v1.106.4

v1.107.0

v1.107.1

v1.107.2

v1.108.0

v1.109.0

v1.109.1

v1.109.2

v1.11.0_17-dev

v1.110.0

v1.111.0

v1.112.0

v1.112.1

v1.113.0

v1.113.1

v1.114.0

v1.115.0

v1.116.0

v1.116.1

v1.116.2

v1.117.0

v1.118.0

v1.118.1

v1.118.2

v1.119.0

v1.119.1

v1.12.0_18-dev

v1.120.0

v1.120.1

v1.120.2

v1.121.0

v1.122.0

v1.122.1

v1.122.2

v1.122.3

v1.123.0

v1.124.0

v1.124.1

v1.124.2

v1.125.0

v1.125.1

v1.125.2

v1.125.3

v1.125.4

v1.125.5

v1.125.6

v1.125.7

v1.126.0

v1.126.1

v1.127.0

v1.128.0

v1.129.0

v1.13.0_20-dev

v1.130.0

v1.130.1

v1.130.2

v1.130.3

v1.131.0

v1.131.1

v1.131.2

v1.131.3

v1.132.0

v1.132.1

v1.132.2

v1.132.3

v1.133.0

v1.133.1

v1.134.0

v1.135.0

v1.135.1

v1.135.2

v1.135.3

v1.136.0

v1.137.0

v1.137.1

v1.137.2

v1.137.3

v1.138.0

v1.138.1

v1.139.0

v1.139.1

v1.139.2

v1.139.3

v1.139.4

v1.14.0_21-dev

v1.140.0

v1.140.1

v1.141.0

v1.141.1

v1.142.0

v1.142.1

v1.143.0

v1.143.1

v1.144.0

v1.144.1

v1.15.0_21-dev

v1.15.1_21-dev

v1.16.0_23-dev

v1.17.0_25-dev

v1.18.0_27-dev

v1.19.0_29-dev

v1.19.1_29-dev

v1.20.0_30-dev

v1.20.1_30-dev

v1.20.2_30-dev

v1.20.3_30-dev

v1.21.0_31-dev

v1.21.1_31-dev

v1.22.0_32-dev

v1.23.0_33-dev

v1.24.0_34-dev

v1.25.0_35-dev

v1.26.0_36-dev

v1.27.0_37-dev

v1.28.0_38-dev

v1.28.1_39-dev

v1.28.2_40-dev

v1.28.3_41-dev

v1.28.4_41-dev

v1.28.4_42-dev

v1.29.0_42-dev

v1.29.1_43-dev

v1.29.2_43-dev

v1.29.3_43-dev

v1.29.4_44-dev

v1.29.5_44-dev

v1.29.6_44-dev

v1.29.6_45-dev

v1.3.0-dev

v1.3.1-dev

v1.30.0_46-dev

v1.30.2_48-dev

v1.31.0_49-dev

v1.31.1_49-dev

v1.32.0_50-dev

v1.32.1_51-dev

v1.33.0_52-dev

v1.33.1_52-dev

v1.34.0_53-dev

v1.35.0_54-dev

v1.36.0_55-dev

v1.36.1_55-dev

v1.36.2_56-dev

v1.37.0_58-dev

v1.38.0_60-dev

v1.38.1_60-dev

v1.38.2_60-dev

v1.39.0_61-dev

v1.4.0+6-dev

v1.4.0+7-dev

v1.4.0-dev

v1.40.0_63-dev

v1.40.1_63-dev

v1.41.0_64-dev

v1.41.1_64-dev

v1.42.0_65-dev

v1.43.0

v1.43.1

v1.44.0

v1.45.0

v1.46.0

v1.46.1

v1.47.0

v1.47.1

v1.47.2

v1.47.3

v1.48.0

v1.48.1

v1.49.0

v1.5.0+8-dev

v1.5.1+9-dev

v1.50.0

v1.50.1

v1.51.0

v1.51.1

v1.51.2

v1.52.0

v1.52.1

v1.53.0

v1.54.0

v1.54.1

v1.55.0

v1.55.1

v1.56.0

v1.56.1

v1.56.2

v1.57.0

v1.57.1

v1.58.0

v1.59.0

v1.59.1

v1.6.0_10-dev

v1.60.0

v1.61.0

v1.62.0

v1.62.1

v1.63.0

v1.63.1

v1.63.2

v1.64.0

v1.65.0

v1.66.0

v1.66.1

v1.67.0

v1.67.1

v1.67.2

v1.68.0

v1.69.0

v1.7.0_11-dev

v1.70.0

v1.71.0

v1.72.0

v1.72.1

v1.72.2

v1.73.0

v1.74.0

v1.75.0

v1.75.1

v1.75.2

v1.76.0

v1.76.1

v1.77.0

v1.78.0

v1.78.1

v1.79.0

v1.79.1

v1.8.0_12-dev

v1.80.0

v1.81.0

v1.81.1

v1.82.0

v1.82.1

v1.83.0

v1.84.0

v1.85.0

v1.86.0

v1.87.0

v1.88.0

v1.88.1

v1.88.2

v1.89.0

v1.9.0_13-dev

v1.9.1_14-dev

v1.90.0

v1.90.1

v1.90.2

v1.91.0

v1.91.1

v1.91.2

v1.91.3

v1.91.4

v1.92.0

v1.92.1

v1.93.0

v1.93.1

v1.93.2

v1.93.3

v1.94.0

v1.94.1

v1.95.0

v1.95.1

v1.96.0

v1.97.0

v1.98.0

v1.98.1

v1.98.2

v1.99.0

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.1

v2.4.0

v2.4.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23896.json"