External risk intelligence

Immich Account Takeover via Reflected XSS

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-53662

Immich is a self-hosted photo and video management application typically deployed as a web service. Because it is designed to be accessed via a web browser and is commonly exposed to the internet to facilitate remote access to personal media libraries, the login interface where this vulnerability resides is a likely target for internet-based interactions.

Cross-site Scripting

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security flaw in the Immich photo and video management software could allow an attacker to take over any authenticated user's account by tricking them into clicking a malicious link. This exploit targets the login page and, if successful, can grant the attacker full access to the victim's account and data by creating a new administrative key.

  • Unauthenticated users can compromise accounts.
  • Attackers can gain full account access and control.
  • Confirm relevance and verify exposure for this service.

Attack Path

How an attacker could exploit the issue

An attacker can trick a user into clicking a crafted link to the Immich login page. This link exploits a flaw in how the application handles a URL parameter, causing malicious JavaScript to run within the user's browser. The attacker can then leverage the victim's active session to create an API key, granting them full control over the account.

  • Unauthenticated access to login page.
  • User clicks malicious link.
  • Persistent account takeover.

Live Threat

Current exploitation, exposure, and threat context

A reflected cross-site scripting vulnerability on the Immich login page could allow an attacker to take over an authenticated user's account. This happens when a user clicks a malicious link, which then injects JavaScript into Immich's origin. This script can then create an API key with full permissions, leading to a persistent account takeover.

  • User account data at risk.
  • Attacker-controlled link execution.
  • Persistent account takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Immich application owner or the team responsible for its deployment and maintenance is likely accountable for addressing this vulnerability. The first practical step is to identify all instances of Immich, determine their internet reachability and business criticality, and then confirm the specific owner for each deployment before planning remediation actions.

  • Identify affected Immich deployments.
  • Verify internet exposure and business criticality.
  • Coordinate owner-driven remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Immich and how is it used?

Immich is a self-hosted software application designed for managing personal photo and video collections. Users typically run it as a private web service to organize, view, and store their digital media across devices. Because it handles personal libraries, it is often configured to be accessible over a network or the internet, allowing users to reach their media from anywhere.

What does CVE-2026-53662 mean in plain English?

This vulnerability is a form of Cross-Site Scripting (XSS). It occurs when the software incorrectly handles data provided in a URL, allowing an attacker to inject malicious code into the login page. When a user visits this crafted link, the code executes within their browser, enabling the attacker to misuse the victim's active session to create a new, permanent API key with full account permissions.

How does an attacker trigger this vulnerability?

The attack requires a user to click a specially crafted link that directs them to the Immich login page. The issue lies in how the software processes the 'continue' URL parameter. It is important to note that simply visiting a properly configured or updated Immich login page without interacting with a malicious link does not trigger the vulnerability.

Is my Immich instance at risk?

If you are running an affected version of Immich, your instance is potentially vulnerable. According to Halo Surface Signal, because Immich is a web-based service frequently exposed to the internet to support remote media access, the login page is a likely target. Instances that are internet-facing are at a higher risk of being reached by external attackers.

What should I do if I use Immich?

The primary step is to update your software to a version that includes the fix, which is available in commit 4eb1003. Start by locating all your Immich deployments, checking if they are reachable from the internet, and then applying the patch. Ensuring your deployment is running the latest code is the most effective way to protect your account and data from this flaw.

References