CVE-2026-25118

UNKNOWN 0.0

immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

CWE	CWE-598
Vendor	immich-app
Product	immich
Published	Apr 3, 2026
Last Updated	Apr 4, 2026

Stay Ahead of the Next One

Get instant alerts for immich-app immich

Be the first to know when new unknown vulnerabilities affecting immich-app immich are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

immich-app / immich

< 2.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/immich-app/immich/security/advisories/GHSA-78x4-6x83-jx75 github.com: https://github.com/immich-app/immich/pull/26868 github.com: https://github.com/immich-app/immich/pull/26886 github.com: https://github.com/immich-app/immich/releases/tag/v2.6.0