CVE-2026-23896

HIGH WAF: Low

CVSS 8.8 Published: 2026-01-29

CWE-269

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.

WAF Coverage Analysis

Improper Privilege Management Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

Vendor	Product	Version
immich	immich	up to 2.5.0

References

github.com (Exploit, Vendor Advisory)

Back to CVE Database