Skip to content
Threat Feed
high advisory

CVE-2026-59258: Immich Broken Access Control Vulnerability Allows Privilege Escalation

A broken access control vulnerability in immich before version 3.0.3 allows authenticated attackers with editor access to shared albums to elevate their privileges by exploiting the PUT /albums/:id/user/:userId endpoint to demote the album owner to editor and then promote themselves to owner, gaining full control including deletion and eviction capabilities.

A significant broken access control vulnerability, identified as CVE-2026-59258, affects Immich versions prior to 3.0.3. This flaw resides within the PUT /albums/:id/user/:userId API endpoint, which is intended for managing user roles within shared albums. An attacker who already possesses editor privileges for a shared album can exploit this vulnerability to bypass owner-only restrictions. By sending two sequential HTTP PUT requests, the attacker can first demote the legitimate album owner to an editor role and then elevate their own role to album owner. This privilege escalation grants the attacker full administrative control over the affected album, including the ability to delete the album entirely or evict other members. This vulnerability poses a critical risk to data integrity and access control for Immich users utilizing shared album features.

Attack Chain

  1. An attacker obtains legitimate editor access to a shared Immich album, either through social engineering, compromised credentials, or existing permissions.
  2. The attacker crafts and sends an initial malicious HTTP PUT request to the /albums/:id/user/:userId API endpoint, targeting the legitimate album owner's userId.
  3. The request's payload specifies changing the owner's role to 'editor' or a lower privilege.
  4. Due to the broken access control vulnerability (CVE-2026-59258), the Immich application processes this request, successfully demoting the legitimate album owner without proper authorization checks.
  5. Subsequently, the attacker crafts and sends a second malicious HTTP PUT request to the same /albums/:id/user/:userId endpoint, this time targeting their own userId.
  6. The request's payload specifies changing the attacker's role to 'owner'.
  7. The Immich application again processes this request due to the vulnerability, promoting the attacker to the album owner.
  8. The attacker now possesses full administrative control over the shared album, enabling actions such as album deletion, member eviction, and content manipulation.

Impact

Successful exploitation of CVE-2026-59258 allows an attacker with existing editor permissions to fully compromise the targeted Immich shared album. This leads to unauthorized privilege escalation, granting the attacker complete administrative control over the album. The primary impact includes the potential for unauthorized data loss through album deletion, the eviction of legitimate users, and the modification or exfiltration of sensitive content stored within the album. While no specific victim counts or targeted sectors have been disclosed, any organization or individual using affected Immich versions with shared albums is at risk of severe data integrity and access control breaches.

Recommendation

  • Immediately upgrade Immich installations to version 3.0.3 or newer to patch CVE-2026-59258.
  • Review web server logs for suspicious HTTP PUT requests to the /albums/*/user/*/role endpoint as described in the Attack Chain.
  • Implement application-level logging to capture detailed API calls, including the authenticated user, target user, and requested role changes for better visibility into potential access control bypass attempts related to CVE-2026-59258.