Horizon Alert
Summary of the vulnerability and why it matters
A security flaw in the Immich photo and video management software could allow an attacker to take over any authenticated user's account by tricking them into clicking a malicious link. This exploit targets the login page and, if successful, can grant the attacker full access to the victim's account and data by creating a new administrative key.
- Unauthenticated users can compromise accounts.
- Attackers can gain full account access and control.
- Confirm relevance and verify exposure for this service.
Attack Path
How an attacker could exploit the issue
An attacker can trick a user into clicking a crafted link to the Immich login page. This link exploits a flaw in how the application handles a URL parameter, causing malicious JavaScript to run within the user's browser. The attacker can then leverage the victim's active session to create an API key, granting them full control over the account.
- Unauthenticated access to login page.
- User clicks malicious link.
- Persistent account takeover.
Live Threat
Current exploitation, exposure, and threat context
A reflected cross-site scripting vulnerability on the Immich login page could allow an attacker to take over an authenticated user's account. This happens when a user clicks a malicious link, which then injects JavaScript into Immich's origin. This script can then create an API key with full permissions, leading to a persistent account takeover.
- User account data at risk.
- Attacker-controlled link execution.
- Persistent account takeover.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Immich application owner or the team responsible for its deployment and maintenance is likely accountable for addressing this vulnerability. The first practical step is to identify all instances of Immich, determine their internet reachability and business criticality, and then confirm the specific owner for each deployment before planning remediation actions.
- Identify affected Immich deployments.
- Verify internet exposure and business criticality.
- Coordinate owner-driven remediation.