CVE-2026-40096 Overview
CVE-2026-40096 is an open redirect vulnerability affecting Immich, a high-performance self-hosted photo and video management solution. The vulnerability exists in the shared album functionality where album names are inserted unsanitized into HTML <meta> tags within api.service.ts. This allows authenticated attackers to craft malicious album names that, when shared with victims, redirect their browsers to attacker-controlled websites.
Critical Impact
Authenticated attackers can exploit this vulnerability to redirect victims to phishing sites masquerading as legitimate Immich login pages, potentially harvesting credentials from unsuspecting users who believe they need to authenticate to view shared albums.
Affected Products
- Immich versions prior to 2.7.3
- Self-hosted Immich installations with shared album functionality enabled
Discovery Timeline
- 2026-04-15 - CVE-2026-40096 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-40096
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically manifesting as an open redirect through unsanitized meta tag injection. The core issue lies in how Immich handles user-supplied album names when generating Open Graph meta tags for shared album links.
When a user creates a shared album, the album name is directly inserted into the <meta property="og:title"> tag without proper sanitization. An attacker with a registered account can craft a malicious album name containing HTML meta tag escape sequences and redirect directives. When a victim opens the share link, the browser interprets the injected content as a valid meta refresh directive, causing an automatic redirect to an attacker-controlled domain.
The attack requires the attacker to have a registered account on the target Immich instance, limiting the attack surface to multi-user deployments or instances with open registration. However, once exploited, the vulnerability enables convincing phishing attacks since victims receive legitimate-looking share links from the trusted Immich domain.
Root Cause
The root cause is insufficient input validation and output encoding in the api.service.ts file. The shared album functionality fails to sanitize special characters in album names before embedding them into HTML meta tags. Specifically, the code does not escape quotation marks, angle brackets, or other HTML-significant characters, allowing attackers to break out of the intended attribute context and inject arbitrary meta directives.
Attack Vector
The attack is network-based and requires the attacker to have a registered account on the target Immich instance. The attacker creates a shared album with a specially crafted name containing the payload 0;url=https://attackersite.com" http-equiv="refresh. When this album name is rendered in the HTML response for the share link, it effectively creates a meta refresh tag that redirects visitors to the attacker's site.
The attacker then shares the album link with victims through any communication channel. When victims click the link expecting to view shared photos, their browsers are immediately redirected to a malicious site. The attacker can host a convincing replica of the Immich login page to harvest credentials from users who believe they need to authenticate to view the album.
The vulnerability exploits the browser's interpretation of meta refresh tags, which are processed before any JavaScript-based security controls can intervene.
Detection Methods for CVE-2026-40096
Indicators of Compromise
- Album names containing unusual character sequences such as http-equiv, refresh, or url=
- Album names with embedded quotation marks or HTML-like syntax
- Shared album links that result in unexpected browser redirects
- User reports of being redirected to unfamiliar login pages when accessing shared albums
- Web server logs showing requests with unusually long or encoded album name parameters
Detection Strategies
- Implement server-side logging and alerting for album names containing suspicious patterns such as http-equiv or meta keywords
- Monitor for albums with names exceeding reasonable length thresholds or containing non-printable characters
- Deploy web application firewall rules to detect and block requests containing meta tag injection patterns
- Review audit logs for bulk album creation activity from single accounts, which may indicate reconnaissance or testing
Monitoring Recommendations
- Enable verbose logging for the shared album creation and access endpoints in Immich
- Configure alerts for multiple failed album access attempts followed by successful redirects to external domains
- Implement Content Security Policy headers to restrict meta refresh behavior where possible
- Monitor DNS queries from client networks for connections to known phishing domains following Immich share link access
How to Mitigate CVE-2026-40096
Immediate Actions Required
- Upgrade all Immich installations to version 2.7.3 or later immediately
- Review existing shared albums for suspicious or unusually formatted names
- Notify users who may have accessed suspicious shared album links to change their credentials
- Consider temporarily disabling the shared album functionality on vulnerable instances until patching is complete
- Implement network-level controls to alert on redirects from Immich instances to unknown external domains
Patch Information
Immich has addressed this vulnerability in version 2.7.3. The fix implements proper HTML entity encoding for album names before insertion into meta tags, preventing attackers from escaping the attribute context. Administrators should upgrade to version 2.7.3 or later as documented in the GitHub Release v2.7.3.
For detailed technical information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-24fq-72x8-v7hm.
Workarounds
- Restrict album creation permissions to trusted administrators only until the patch can be applied
- Implement a reverse proxy or web application firewall rule to sanitize or reject album names containing meta tag injection patterns
- Disable shared album functionality at the application or network level for vulnerable installations
- Educate users to verify the URL in their browser address bar when accessing shared album links and to report any unexpected redirects
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
