CVE-2026-53662 immich-app CVE debrief

Who should care

Administrators and users of Immich, a self-hosted photo and video management solution, should be aware of this critical vulnerability. Any user with access to the /auth/login page can be affected by this vulnerability, which allows for persistent account takeover. Therefore, it is essential for Immich administrators to ensure that their instances are updated to a version that includes the fix.

Technical summary

The vulnerability is a reflected cross-site scripting (XSS) vulnerability on the /auth/login page of Immich. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation. This allows an attacker to inject malicious JavaScript code, which can then be executed inside Immich's origin. The payload uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. The vulnerability exists from commit 4ffa26c9 until 4eb1003 and is fixed in commit 4eb1003.

Defensive priority

This vulnerability has a CVSS score of 9.6 and is classified as CRITICAL. It is essential for Immich administrators to prioritize patching this vulnerability to prevent potential attacks.

Recommended defensive actions

• Update Immich to a version that includes the fix (commit 4eb1003 or later)
• Review and monitor Immich instance logs for potential suspicious activity
• Implement additional security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDSs)
• Educate users on the risks of clicking on suspicious links
• Consider implementing compensating controls, such as multi-factor authentication

Evidence notes

The vulnerability is documented in the CVE-2026-53662 record and the NVD detail page. The source item URL provides additional information on the vulnerability, including references to the Immich GitHub repository.

Official resources