Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

New Exploitable BOLA Found in Immich (self-hosted media platform)

0
Medium
Published: 07/16/2026 (07/16/2026, 17:28:27 UTC)
Source: Reddit NetSec

Description

A Broken Access Control vulnerability was discovered in Immich, a self-hosted media platform. The flaw allows any user to access photos stored in a locked folder without entering the required PIN. This occurs because one of the search endpoints (POST /search/random) does not enforce the PIN protection, exposing locked assets of the caller and their partners. Immich uses a PIN-elevated session to protect sensitive media, but this endpoint bypasses that control.

Reddit Discussion

r/netsec·posted by u/EscapeSecurity
00

Full disclosure I'm at Escape but wanted to share something we found that would be interesting to those here!

Escape's security research team found a Broken Access Control flaw in Immich which let any user read photos in a locked folder without the required PIN.

Immich is a self-hosted media platform with 100k+ stars on GitHub.

Their "locked folder" hides sensitive assets behind a PIN-elevated session.

What we found:

Four of the five search endpoints enforce that; POST /search/random doesn't. If you send it with the visibility field simply omitted and it returns the caller's locked assets from a session that never entered the PIN, and, with a partner relationship, the partner's locked assets too.

If you're interested in how we did it or how you can reproduce it yourself the full breakdown with reproduction instructions is linked!

And if anyone has any questions we would love to answer them.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 17:47:44 UTC

Technical Analysis

Immich's self-hosted media platform implements a 'locked folder' feature that restricts access to sensitive photos via a PIN-elevated session. However, the POST /search/random endpoint does not enforce this access control, allowing unauthorized users to retrieve locked assets without PIN authentication. This Broken Access Control (BOLA) vulnerability exposes private media to unauthorized access. The issue was publicly disclosed by EscapeSecurity's research team on Reddit's r/netsec, including reproduction details. No patch or official fix information is provided in the available data.

Potential Impact

Unauthorized users can access photos in locked folders without the required PIN, potentially exposing sensitive or private media. This compromises the confidentiality of user data stored in Immich's locked folders. The flaw affects both the caller's locked assets and those of their partners if a partner relationship exists.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected endpoint or disabling the POST /search/random endpoint if possible. Monitor official Immich channels for updates and apply patches promptly once released.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
netsec
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":30,"reasons":["external_link","newsworthy_keywords:exploit","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit"],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a59192e68715ace4372f4e3

Added to database: 07/16/2026, 17:47:26 UTC

Last enriched: 07/16/2026, 17:47:44 UTC

Last updated: 07/17/2026, 03:17:20 UTC

Views: 10

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses