Product
A broken access control vulnerability in immich before version 3.0.3 allows authenticated attackers with editor access to shared albums to elevate their privileges by exploiting the PUT /albums/:id/user/:userId endpoint to demote the album owner to editor and then promote themselves to owner, gaining full control including deletion and eviction capabilities.