{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T23:28:16.491","vulnerabilities":[{"cve":{"id":"CVE-2026-23896","sourceIdentifier":"security-advisories@github.com","published":"2026-01-29T18:16:14.970","lastModified":"2026-06-17T10:22:16.370","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue."},{"lang":"es","value":"immich es una solución de gestión de fotos y videos autoalojada de alto rendimiento. Antes de la versión 2.5.0, las claves API pueden escalar sus propios permisos al llamar al endpoint de actualización, permitiendo que una clave API de bajo privilegio se otorgue acceso administrativo completo al sistema. La versión 2.5.0 corrige el problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"immich-app","product":"immich","versions":[{"version":"< 2.5.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-29T21:25:28.260765Z","id":"CVE-2026-23896","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:futo:immich:*:*:*:*:*:docker:*:*","versionEndExcluding":"2.5.0","matchCriteriaId":"6A876FF0-015E-48C7-8319-4E23ACC5F6F2"}]}]}],"references":[{"url":"https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}