Immich API Key Privilege Escalation Vulnerability

A vulnerability in Immich prior to version 2.5.0 allows API keys to escalate their permissions. Low-privilege API keys can use the update endpoint to gain full administrative access. This issue arises because the update method does not properly validate whether the API key has the authority to grant the requested permissions. As a result, any user capable of creating an API key can escalate it to have complete administrative rights, leading to unauthorized access to all user data and administrative functions.

Impact

Exploitation of this vulnerability allows for complete account takeover, granting access to all user data and administrative functions.

Reproduction

To reproduce this vulnerability, first create an admin account and log in. Then, create a limited API key with only 'apiKey.read' and 'apiKey.update' permissions. After that, attempt to use the API key to create an album, which should fail due to insufficient permissions. Next, exploit the vulnerability by using the limited API key to update its permissions to 'all'. Finally, verify the escalation by creating an album again, which should succeed now.

Remediation

Users should update to Immich version 2.5.0 or later, where this vulnerability has been fixed.