CVE-2026-25118

Source
https://cve.org/CVERecord?id=CVE-2026-25118
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25118.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25118
Aliases
  • GHSA-78x4-6x83-jx75
Published
2026-04-03T15:51:07.171Z
Modified
2026-07-08T08:04:56.427658794Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums
Details

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25118.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-598"
    ]
}
References

Affected packages

Git / github.com/immich-app/immich

Affected ranges

Type
GIT
Repo
https://github.com/immich-app/immich
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.0"
        }
    ]
}

Affected versions

Other
first-android-release
v0.*
v0.2-dev
v0.3-dev
v0.4-dev
v0.5-dev
v0.6-dev
v1.*
v1.10.0_15-dev
v1.100.0
v1.101.0
v1.102.0
v1.102.1
v1.102.2
v1.102.3
v1.103.0
v1.103.1
v1.104.0
v1.105.0
v1.105.1
v1.106.0
v1.106.1
v1.106.2
v1.106.3
v1.106.4
v1.107.0
v1.107.1
v1.107.2
v1.108.0
v1.109.0
v1.109.1
v1.109.2
v1.11.0_17-dev
v1.110.0
v1.111.0
v1.112.0
v1.112.1
v1.113.0
v1.113.1
v1.114.0
v1.115.0
v1.116.0
v1.116.1
v1.116.2
v1.117.0
v1.118.0
v1.118.1
v1.118.2
v1.119.0
v1.119.1
v1.12.0_18-dev
v1.120.0
v1.120.1
v1.120.2
v1.121.0
v1.122.0
v1.122.1
v1.122.2
v1.122.3
v1.123.0
v1.124.0
v1.124.1
v1.124.2
v1.125.0
v1.125.1
v1.125.2
v1.125.3
v1.125.4
v1.125.5
v1.125.6
v1.125.7
v1.126.0
v1.126.1
v1.127.0
v1.128.0
v1.129.0
v1.13.0_20-dev
v1.130.0
v1.130.1
v1.130.2
v1.130.3
v1.131.0
v1.131.1
v1.131.2
v1.131.3
v1.132.0
v1.132.1
v1.132.2
v1.132.3
v1.133.0
v1.133.1
v1.134.0
v1.135.0
v1.135.1
v1.135.2
v1.135.3
v1.136.0
v1.137.0
v1.137.1
v1.137.2
v1.137.3
v1.138.0
v1.138.1
v1.139.0
v1.139.1
v1.139.2
v1.139.3
v1.139.4
v1.14.0_21-dev
v1.140.0
v1.140.1
v1.141.0
v1.141.1
v1.142.0
v1.142.1
v1.143.0
v1.143.1
v1.144.0
v1.144.1
v1.15.0_21-dev
v1.15.1_21-dev
v1.16.0_23-dev
v1.17.0_25-dev
v1.18.0_27-dev
v1.19.0_29-dev
v1.19.1_29-dev
v1.20.0_30-dev
v1.20.1_30-dev
v1.20.2_30-dev
v1.20.3_30-dev
v1.21.0_31-dev
v1.21.1_31-dev
v1.22.0_32-dev
v1.23.0_33-dev
v1.24.0_34-dev
v1.25.0_35-dev
v1.26.0_36-dev
v1.27.0_37-dev
v1.28.0_38-dev
v1.28.1_39-dev
v1.28.2_40-dev
v1.28.3_41-dev
v1.28.4_41-dev
v1.28.4_42-dev
v1.29.0_42-dev
v1.29.1_43-dev
v1.29.2_43-dev
v1.29.3_43-dev
v1.29.4_44-dev
v1.29.5_44-dev
v1.29.6_44-dev
v1.29.6_45-dev
v1.3.0-dev
v1.3.1-dev
v1.30.0_46-dev
v1.30.2_48-dev
v1.31.0_49-dev
v1.31.1_49-dev
v1.32.0_50-dev
v1.32.1_51-dev
v1.33.0_52-dev
v1.33.1_52-dev
v1.34.0_53-dev
v1.35.0_54-dev
v1.36.0_55-dev
v1.36.1_55-dev
v1.36.2_56-dev
v1.37.0_58-dev
v1.38.0_60-dev
v1.38.1_60-dev
v1.38.2_60-dev
v1.39.0_61-dev
v1.4.0+6-dev
v1.4.0+7-dev
v1.4.0-dev
v1.40.0_63-dev
v1.40.1_63-dev
v1.41.0_64-dev
v1.41.1_64-dev
v1.42.0_65-dev
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.46.0
v1.46.1
v1.47.0
v1.47.1
v1.47.2
v1.47.3
v1.48.0
v1.48.1
v1.49.0
v1.5.0+8-dev
v1.5.1+9-dev
v1.50.0
v1.50.1
v1.51.0
v1.51.1
v1.51.2
v1.52.1
v1.53.0
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.56.0
v1.56.1
v1.56.2
v1.57.0
v1.57.1
v1.58.0
v1.59.0
v1.59.1
v1.6.0_10-dev
v1.60.0
v1.61.0
v1.62.0
v1.62.1
v1.63.0
v1.63.1
v1.63.2
v1.64.0
v1.65.0
v1.66.0
v1.66.1
v1.67.0
v1.67.1
v1.67.2
v1.68.0
v1.69.0
v1.7.0_11-dev
v1.70.0
v1.71.0
v1.72.0
v1.72.1
v1.72.2
v1.73.0
v1.74.0
v1.75.0
v1.75.1
v1.75.2
v1.76.0
v1.76.1
v1.77.0
v1.78.0
v1.78.1
v1.79.0
v1.79.1
v1.8.0_12-dev
v1.80.0
v1.81.0
v1.81.1
v1.82.0
v1.82.1
v1.83.0
v1.84.0
v1.85.0
v1.86.0
v1.87.0
v1.88.0
v1.88.2
v1.89.0
v1.9.0_13-dev
v1.9.1_14-dev
v1.90.0
v1.90.1
v1.90.2
v1.91.0
v1.91.1
v1.91.2
v1.91.3
v1.91.4
v1.92.0
v1.92.1
v1.93.0
v1.93.1
v1.93.2
v1.93.3
v1.94.1
v1.95.0
v1.95.1
v1.96.0
v1.97.0
v1.98.0
v1.98.1
v1.98.2
v1.99.0
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25118.json"