High severity7.2NVD Advisory· Published Jan 29, 2026· Updated Apr 15, 2026
CVE-2026-23896
CVE-2026-23896
Description
immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mvnvdExploitVendor Advisory
News mentions
0No linked articles in our index yet.