CVE-2026-59258

high

Description

immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owner in sequential requests, gaining full control including deletion and eviction capabilities.

References

https://www.vulncheck.com/advisories/immich-shared-album-editor-ownership-takeover-via-updateuser

https://github.com/immich-app/immich/releases/tag/v3.0.3

https://github.com/immich-app/immich/pull/29883

https://github.com/immich-app/immich/issues/29857

https://github.com/immich-app/immich/commit/84dff19ca9a467752d848ff54763d62c04ebf960

Details

Source: Mitre, NVD

Published: 2026-07-15

Updated: 2026-07-15

Risk Information

CVSS v2

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Severity: High

CVSS v4

Base Score: 7.2

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00315