CVE-2026-23896: Immich API Keys Could Quietly Promote Themselves to Full Admin Access

Aegiron 9 mins0

CVE-2026-23896 – Immich API Privilege Escalation

CVE ID: CVE-2026-23896
Product: Immich
Vulnerability Type: API Authorization Bypass / Privilege Escalation
CVSS v3.1 Score: 7.2 (High)
Severity: High
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High (valid API key required)
User Interaction: None
Exploitability: Practical and straightforward once preconditions are met
Exploit Availability: No public weaponized exploit; exploitation logic is simple and reproducible for educational and testing purposes
Patch Status: Fixed
Affected Versions: Immich versions prior to v2.5.0
Fixed Version: Immich v2.5.0

Official Patch / Upgrade Link: Link provided below

Overview

A privilege escalation vulnerability was identified in Immich’s API key management functionality. Due to insufficient server-side authorization checks, an API key with limited permissions was allowed to modify its own privilege scope. As a result, the same key could be escalated to full administrative privileges without proper validation.

The flaw existed in the API endpoint responsible for updating API keys. Permission enforcement was incomplete, allowing keys that already had update capability to assign themselves unrestricted access.

This vulnerability did not rely on memory corruption or injection techniques. Instead, it was caused by a logical authorization flaw, making it easy to exploit once a valid API key was obtained.

Root Cause

Improper privilege validation was applied during API key updates.
Specifically:

  • The API endpoint trusted the request context too broadly.
  • Permission changes were not restricted based on the current privilege level of the API key.
  • Self-modification of permissions was allowed without enforcing a least-privilege boundary.

This resulted in a classic case of improper privilege management.

How Exploitation Could Occur

The exploitation path was simple and fully API-based:

  1. A valid API key was obtained (through legitimate creation, account compromise, or insider access).
  2. The API key already had permission to call the API key update endpoint.
  3. A crafted request was sent to update the key’s permission set.
  4. The permissions field was changed to full or administrative access.
  5. The API accepted the change without rejecting or downgrading the request.
  6. The same API key now functioned as an administrator.

Once elevated, full control over the Immich instance was possible, including access to all user media, system configuration, user management, and data deletion.

Impact

If successfully exploited, the following impacts were possible:

  • Complete compromise of all stored photos and videos
  • Unauthorized access to user metadata and personal content
  • Creation or deletion of user accounts
  • Modification of system-wide settings
  • Long-term persistence via newly created admin API keys
  • Silent data exfiltration using legitimate API calls

Because API keys are often used in automation, abuse could remain undetected for long periods without proper logging.

MITRE ATT&CK & CWE Mapping

CWE Mapping

  • CWE-269 – Improper Privilege Management

MITRE ATT&CK (Behavioral Mapping)

  • T1078 – Valid Accounts
  • T1098 – Account Manipulation
  • T1550 – Use of Application Access Tokens

These mappings help classify the attacker behavior for threat hunting and detection engineering.

Proof of Concept (Educational Context Only)

No public exploit framework or weaponized PoC has been released.
However, exploitation was trivial and could be reproduced in a controlled lab environment.

Conceptual Request Payload

{
  "apiKeyId": "existing-key-id",
  "permissions": ["all"]
}

If the server responded with success and updated the permissions, the vulnerability was present.

Detection Strategy

Relevant Log Sources

  • Immich application audit logs
  • API gateway or reverse proxy logs
  • Container runtime logs
  • Database audit tables (API key metadata)
  • Object storage access logs

What to Look For

  • API key update events where permissions change from limited to full/admin
  • API keys performing admin actions shortly after being updated
  • API key modifications from unusual IP addresses or geolocations
  • Bulk media access or downloads immediately following a key update
  • API keys creating new admin users or additional API keys

Splunk Detection Rules

Rule 1 – API Key Permission Escalation

index=immich_logs
("apiKey.update" OR "/apiKey/update")
| eval old_perm=mvindex(previous_permissions,0)
| eval new_perm=mvindex(new_permissions,0)
| where old_perm!="all" AND new_perm="all"
| table _time, user_id, api_key_id, old_perm, new_perm, src_ip, http_user_agent

Rule 2 – Admin Actions by Recently Updated API Keys

index=immich_logs
| transaction api_key_id maxspan=15m
| search action IN ("create_user","delete_user","system_config_change")
| where api_key_recently_updated="true"
| table _time, api_key_id, action, src_ip

Rule 3 – Suspicious Media Exfiltration

index=immich_logs
("media.download" OR "media.export")
| stats count sum(bytes_transferred) by api_key_id, src_ip
| where count > 500 OR bytes_transferred > 1073741824

Indicators of Compromise

  • API keys upgraded to full privileges without administrative approval
  • Administrative actions executed via API keys instead of interactive users
  • Sudden spikes in media downloads
  • API activity outside normal operational hours
  • Repeated API key updates in short time windows

Mitigation (If Patch Cannot Be Applied Immediately)

  • API key creation should be disabled or restricted
  • Existing API keys should be rotated and reissued
  • API key permissions should be reviewed manually
  • Network access should be restricted to trusted IP ranges
  • Enhanced logging should be enabled for all API activity

These steps reduce exposure but do not eliminate the vulnerability.

Remediation

The vulnerability has been fully resolved in Immich v2.5.0.

Required Action:

  • Upgrade immediately to v2.5.0 or later
  • Revoke and regenerate all API keys created before the upgrade
  • Review logs for historical abuse

Official Upgrade Link:
https://github.com/immich-app/immich/releases/tag/v2.5.0

Final Takeaway

This vulnerability highlights the risk of insufficient authorization checks in API-driven platforms. Even when authentication is enforced, authorization flaws can silently undermine security controls. API keys should always be treated as high-risk credentials and governed with strict least-privilege principles.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.