Immich Credential Disclosure Vulnerability in Shared Album Authentication

A vulnerability in the Immich application prior to version 2.6.0 allows for credential disclosure during the authentication process for shared albums. The application transmits the album password as a query parameter in a GET request to the '/api/shared-links/me' endpoint. This exposure of the password in the URL leads to unintended disclosure in browser history, server logs, and referrer headers. As a result, an unauthenticated attacker with access to these logs or intermediate systems could obtain the password, potentially compromising access to the shared album and exposing sensitive user data.

Impact

Exploitation of this vulnerability could lead to unauthorized access to shared album media and personal data, allowing for a breach of privacy and confidentiality regarding private content and user information.

Reproduction

To reproduce this vulnerability, log into the Immich application as an admin. Create a shared album and set a password for the shared link. After generating the link, visit it in an incognito browser window and enter the password to authenticate. The password will be transmitted as a query parameter in the GET request to the '/api/shared-links/me' endpoint, exposing it in the browser's network logs.

Remediation

Users can update to Immich version 2.6.0 or later, where this vulnerability has been patched.