๐Ÿ” CVE Alert

CVE-2026-59258

HIGH 8.3

immich < 3.0.3 Shared Album Editor Ownership Takeover via updateUser

CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
0th

immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owner in sequential requests, gaining full control including deletion and eviction capabilities.

CWE CWE-863
Vendor immich-app
Product immich
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for immich-app immich

Be the first to know when new high vulnerabilities affecting immich-app immich are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Affected Versions

immich-app / immich
0 < 3.0.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/immich-app/immich/issues/29857 github.com: https://github.com/immich-app/immich/releases/tag/v3.0.3 github.com: https://github.com/immich-app/immich/pull/29883 github.com: https://github.com/immich-app/immich/commit/84dff19ca9a467752d848ff54763d62c04ebf960 vulncheck.com: https://www.vulncheck.com/advisories/immich-shared-album-editor-ownership-takeover-via-updateuser

Credits

George Chen