Description

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

INFO

Published Date :

2026-04-03T15:51:07.171Z

Last Modified :

2026-04-03T15:51:07.171Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25118 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25118.

URL Resource
https://github.com/immich-app/immich/pull/26868 cve-icon cve-icon
https://github.com/immich-app/immich/pull/26886 cve-icon cve-icon
https://github.com/immich-app/immich/releases/tag/v2.6.0 cve-icon cve-icon
https://github.com/immich-app/immich/security/advisories/GHSA-78x4-6x83-jx75 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability