Cyber Resilience

CVE-2026-25118

MediumPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25118 is a medium-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Futo Immich. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25118 is a credential disclosure vulnerability (CWE-598) affecting Immich, a high-performance self-hosted photo and video management solution, in versions prior to 2.6.0. The issue occurs during authentication to a shared album, where the application transmits the album password in URL query parameters via a GET request to the /api/shared-links/me endpoint. This exposure risks capturing the password in browser history, proxy and server logs, and referrer headers, potentially leading to unintended disclosure of authentication credentials.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely with low complexity and no privileges or user interaction required. Attackers who gain access to the exposed password—such as through log inspection, network sniffing, or compromised endpoints—can authenticate to shared albums, compromising access and enabling unauthorized exposure of sensitive user data, including photos and videos.

Immich has addressed the vulnerability in version 2.6.0, as detailed in the project's security advisory (GHSA-78x4-6x83-jx75) and release notes. Relevant fixes are implemented in pull requests #26868 and #26886, with users advised to upgrade promptly to mitigate risks.

EU & UK References

Vulnerability details

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album…

more

password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

CVE exposes album credentials via GET query parameters on a public-facing web app (enables T1190 exploitation for initial credential access) and directly creates an instance of insecurely transmitted credentials discoverable in logs/referrers/history (facilitates T1552 Unsecured Credentials).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35455Same product: Futo Immich
CVE-2026-23896Same product: Futo Immich
CVE-2025-41772Shared CWE-598
CVE-2026-26721Shared CWE-598
CVE-2025-13219Shared CWE-598
CVE-2025-69270Shared CWE-598
CVE-2026-34020Shared CWE-598
CVE-2026-22644Shared CWE-598
CVE-2026-23846Shared CWE-598
CVE-2025-26473Shared CWE-598

Affected Assets

futo
immich
≤ 2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the software flaw transmitting album passwords in URL query parameters, preventing credential exposure as patched in Immich version 2.6.0.

prevent

Requires protecting authenticators like album passwords from unauthorized disclosure during transmission, directly addressing the credential exposure risk.

prevent

Ensures confidentiality and integrity of transmitted information, mitigating network interception of exposed credentials though not addressing logs or browser history.

References