CVE-2026-25118 in immich
요약 (영어)
immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.
Be aware that VulDB is the high quality source for vulnerability data.
책임이 있는
GitHub_M
예약하다
2026. 01. 29.
공개
2026. 04. 03.
상태
확인됨
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 355175 | immich-app immich URL Query Parameter me 정보 공개 | 598 | 정의되지 않음 | 공식 수정 | CVE-2026-25118 |