CVE-2026-25118 Overview
CVE-2026-25118 is an Information Exposure vulnerability affecting Immich, a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This design flaw exposes sensitive authentication credentials through multiple channels including browser history, proxy logs, server logs, and HTTP referrer headers.
Critical Impact
Shared album passwords may be exposed through browser history, server/proxy logs, and referrer headers, potentially allowing unauthorized access to private photo and video collections.
Affected Products
- Immich versions prior to 2.6.0
- Self-hosted Immich deployments with password-protected shared albums
- Any system proxying or logging requests to Immich instances
Discovery Timeline
- April 3, 2026 - CVE-2026-25118 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-25118
Vulnerability Analysis
This vulnerability falls under CWE-598 (Use of GET Request Method With Sensitive Query Strings). When users access password-protected shared albums in Immich, the application transmits the album password as a URL query parameter in GET requests. This is a fundamental security anti-pattern because GET request parameters are logged and cached in numerous locations throughout the request chain.
The vulnerability affects the shared album authentication flow where credentials should be transmitted securely in the request body of a POST request or through proper authentication headers. Instead, the password appears in plaintext within the URL structure, making it susceptible to interception and unintended logging.
Root Cause
The root cause of this vulnerability is improper handling of sensitive authentication data during the shared album access workflow. The application architecture transmits the album password via URL query parameters in GET requests to the /api/shared-links/me endpoint rather than using secure transmission methods such as POST request bodies or HTTP headers.
This design decision violates security best practices that dictate sensitive data should never be included in URLs due to the various locations where URLs are stored and logged throughout the HTTP request lifecycle.
Attack Vector
The attack vector is network-based and requires certain conditions to be present for exploitation. An attacker could gain access to shared album credentials through several methods:
Browser History Exposure: Any user with access to the victim's browser history can extract the password from logged URLs. This includes shared computers, browser sync features, or compromised browser profiles.
Proxy and Server Logs: Organizations using web proxies, firewalls, or load balancers that log HTTP requests will have plaintext passwords stored in their logs. Similarly, the Immich server itself or any reverse proxy in front of it may log the full request URL.
Referrer Header Leakage: If the shared album page contains external links or resources, the password-containing URL may be transmitted to third-party servers via the HTTP Referer header.
Detection Methods for CVE-2026-25118
Indicators of Compromise
- Review web server access logs for GET requests to /api/shared-links/me containing query parameters
- Check proxy logs for URL patterns containing potential password strings in query parameters
- Monitor for unusual access patterns to shared albums that may indicate credential abuse
Detection Strategies
- Implement log analysis rules to identify GET requests with password-like parameters in the URL
- Deploy network monitoring to flag requests to the vulnerable endpoint pattern
- Audit browser history on shared systems for exposed Immich authentication URLs
Monitoring Recommendations
- Enable detailed logging on reverse proxies to track access to the vulnerable endpoint
- Set up alerts for multiple failed or successful accesses to shared albums from different IP addresses
- Review server and proxy log retention policies to minimize exposure window of logged credentials
How to Mitigate CVE-2026-25118
Immediate Actions Required
- Upgrade Immich to version 2.6.0 or later immediately
- Rotate all shared album passwords after upgrading to invalidate potentially exposed credentials
- Clear or rotate logs on web servers and proxies that may contain exposed passwords
- Advise users to clear browser history on shared or public computers
Patch Information
The vulnerability has been addressed in Immich version 2.6.0. The fix modifies the authentication flow to properly handle sensitive credentials without exposing them in URL parameters. Users should upgrade to this version immediately.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-78x4-6x83-jx75. The relevant pull requests implementing the fix can be found at PR #26868 and PR #26886. The patched release is available at Immich v2.6.0.
Workarounds
- Disable password-protected shared albums until the upgrade can be completed
- Implement network-level access controls to restrict who can access shared album URLs
- Place Immich behind a reverse proxy that strips or sanitizes URL query parameters from logs
- Consider using alternative authentication methods if available in your deployment
# Configuration example
# Upgrade Immich to patched version
docker pull ghcr.io/immich-app/immich-server:v2.6.0
# Or if using docker-compose, update the image tag in docker-compose.yml
# and run:
docker-compose pull
docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
