HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53662Published Modified CNA GitHub_M

CVE-2026-53662: immich: One-click account takeover via XSS in login page continue redirect

immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login page allows an attacker to fully compromise any authenticated user's account with a single link click. The continue query parameter is read from the URL and passed to SvelteKit's redirect() without any scheme or origin validation, allowing attacker-controlled JavaScript to execute inside Immich's origin. The payload then uses the victim's existing session to mint an all-permission API key on their account, leading to persistent account takeover. This vulnerability is fixed in commit 4eb1003.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in the login page of immich, a self-hosted photo and video management application, allows a remote unauthenticated attacker to execute attacker-controlled JavaScript inside the victim's browser by tricking them into clicking a crafted link. The vulnerable continue query parameter on the /auth/login route is passed to SvelteKit's redirect() without any scheme or origin validation, enabling script execution within immich's origin using the victim's active session. Successful exploitation gives the attacker persistent, full-permission API key access to the victim's account, constituting a complete account takeover. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix ships.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-53662 is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built immich images, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and weights it against each environment's compliance policy, routing findings to the appropriate team inbox within each customer organization for prioritized review.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix commit is tagged upstream. Where compliance policy permits, auto-remediation customers will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious link over the network; the victim's browser must be able to reach the immich login page from a network-accessible instance.

  • AuthenticationNot required

    No account or credentials are needed by the attacker; the crafted URL is constructed and distributed without any prior authentication.

  • Victim interactionRequired

    The victim must click a specially crafted link that loads the malicious continue parameter on the /auth/login page, making this a social-engineering-dependent exploit.

  • Attack complexityDetail

    Attack complexity is low; no race conditions, memory layout requirements, or special environmental conditions are needed to reliably trigger the XSS payload.

Blast Radius

  • The attacker's injected script mints an all-permission API key using the victim's existing session, granting durable programmatic access to the account even after the victim logs out.
  • The attacker reads all photos, videos, and metadata stored in the victim's immich library, exposing potentially sensitive personal media.
  • The attacker modifies or deletes albums, shared links, and stored assets within the victim's account.
  • The scope change (S:C in the CVSS vector) means the injected script executes within immich's origin and can interact with any resource or cookie scoped to that origin, extending impact beyond the immich application boundary if other services share the same domain.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-53662, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will trigger patched-image rebuild availability the moment a fix version is released upstream. For customers with auto-remediation enabled, this means the rebuild, regression-test run, and a PR against affected workloads will be available without manual steps the moment a patch is confirmed. In the interim, recommended compensating controls include restricting network-policy access to the immich login endpoint to trusted source ranges only, placing a reverse proxy with strict query-parameter allow-listing in front of the login route to block non-allowlisted continue values, and auditing existing API keys on immich accounts for any unexpected high-permission tokens that may indicate prior exploitation. HarborGuard will surface a resolution notification in the findings feed for this CVE once the upstream commit is tagged and scanned.

See how HarborGuard automates this
Affected packages
  • immich-app / immich
    >= main@4ffa26c9, < main@4eb1003
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References