3 matches found
CVE-2026-59258
immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owne...
EUVD-2026-44755
immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owne...
CVE-2026-59258
CVE-2026-59258 affects Immich before 3.0.3. A broken access control on PUT /albums/:id/user/:userId lets shared album editors modify member roles, enabling an editor to demote the owner to editor and promote themselves to owner via sequential requests, yielding full control including deletion and...