CVE-2026-25118
Published: 03 April 2026
Summary
CVE-2026-25118 is a high-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Futo Immich. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the software flaw transmitting album passwords in URL query parameters, preventing credential exposure as patched in Immich version 2.6.0.
Requires protecting authenticators like album passwords from unauthorized disclosure during transmission, directly addressing the credential exposure risk.
Ensures confidentiality and integrity of transmitted information, mitigating network interception of exposed credentials though not addressing logs or browser history.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE exposes album credentials via GET query parameters on a public-facing web app (enables T1190 exploitation for initial credential access) and directly creates an instance of insecurely transmitted credentials discoverable in logs/referrers/history (facilitates T1552 Unsecured Credentials).
NVD Description
immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album…
more
password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.
Deeper analysisAI
CVE-2026-25118 is a credential disclosure vulnerability (CWE-598) affecting Immich, a high-performance self-hosted photo and video management solution, in versions prior to 2.6.0. The issue occurs during authentication to a shared album, where the application transmits the album password in URL query parameters via a GET request to the /api/shared-links/me endpoint. This exposure risks capturing the password in browser history, proxy and server logs, and referrer headers, potentially leading to unintended disclosure of authentication credentials.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely with low complexity and no privileges or user interaction required. Attackers who gain access to the exposed password—such as through log inspection, network sniffing, or compromised endpoints—can authenticate to shared albums, compromising access and enabling unauthorized exposure of sensitive user data, including photos and videos.
Immich has addressed the vulnerability in version 2.6.0, as detailed in the project's security advisory (GHSA-78x4-6x83-jx75) and release notes. Relevant fixes are implemented in pull requests #26868 and #26886, with users advised to upgrade promptly to mitigate risks.
Details
- CWE(s)