New Exploitable BOLA Found in Immich (self-hosted media platform)
A Broken Access Control vulnerability was discovered in Immich, a self-hosted media platform. The flaw allows any user to access photos stored in a locked folder without entering the required PIN. This occurs because one of the search endpoints (POST /search/random) does not enforce the PIN protection, exposing locked assets of the caller and their partners. Immich uses a PIN-elevated session to protect sensitive media, but this endpoint bypasses that control.
AI Analysis
Technical Summary
Immich's self-hosted media platform implements a 'locked folder' feature that restricts access to sensitive photos via a PIN-elevated session. However, the POST /search/random endpoint does not enforce this access control, allowing unauthorized users to retrieve locked assets without PIN authentication. This Broken Access Control (BOLA) vulnerability exposes private media to unauthorized access. The issue was publicly disclosed by EscapeSecurity's research team on Reddit's r/netsec, including reproduction details. No patch or official fix information is provided in the available data.
Potential Impact
Unauthorized users can access photos in locked folders without the required PIN, potentially exposing sensitive or private media. This compromises the confidentiality of user data stored in Immich's locked folders. The flaw affects both the caller's locked assets and those of their partners if a partner relationship exists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected endpoint or disabling the POST /search/random endpoint if possible. Monitor official Immich channels for updates and apply patches promptly once released.
New Exploitable BOLA Found in Immich (self-hosted media platform)
Description
A Broken Access Control vulnerability was discovered in Immich, a self-hosted media platform. The flaw allows any user to access photos stored in a locked folder without entering the required PIN. This occurs because one of the search endpoints (POST /search/random) does not enforce the PIN protection, exposing locked assets of the caller and their partners. Immich uses a PIN-elevated session to protect sensitive media, but this endpoint bypasses that control.
Reddit Discussion
Full disclosure I'm at Escape but wanted to share something we found that would be interesting to those here!
Escape's security research team found a Broken Access Control flaw in Immich which let any user read photos in a locked folder without the required PIN.
Immich is a self-hosted media platform with 100k+ stars on GitHub.
Their "locked folder" hides sensitive assets behind a PIN-elevated session.
What we found:
Four of the five search endpoints enforce that; POST /search/random doesn't. If you send it with the visibility field simply omitted and it returns the caller's locked assets from a session that never entered the PIN, and, with a partner relationship, the partner's locked assets too.
If you're interested in how we did it or how you can reproduce it yourself the full breakdown with reproduction instructions is linked!
And if anyone has any questions we would love to answer them.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Immich's self-hosted media platform implements a 'locked folder' feature that restricts access to sensitive photos via a PIN-elevated session. However, the POST /search/random endpoint does not enforce this access control, allowing unauthorized users to retrieve locked assets without PIN authentication. This Broken Access Control (BOLA) vulnerability exposes private media to unauthorized access. The issue was publicly disclosed by EscapeSecurity's research team on Reddit's r/netsec, including reproduction details. No patch or official fix information is provided in the available data.
Potential Impact
Unauthorized users can access photos in locked folders without the required PIN, potentially exposing sensitive or private media. This compromises the confidentiality of user data stored in Immich's locked folders. The flaw affects both the caller's locked assets and those of their partners if a partner relationship exists.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected endpoint or disabling the POST /search/random endpoint if possible. Monitor official Immich channels for updates and apply patches promptly once released.
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:exploit","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a59192e68715ace4372f4e3
Added to database: 07/16/2026, 17:47:26 UTC
Last enriched: 07/16/2026, 17:47:44 UTC
Last updated: 07/17/2026, 03:17:20 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.