CVE-2025-43856: OAuth2 Account Hijacking Flaw Found in Immich, a Popular Self-Hosted Photo Platform

A critical vulnerability has been disclosed in Immich, a rapidly growing open-source project for self-hosted photo and video management, with over 70,000 stars on GitHub. Tracked as CVE-2025-43856 and rated CVSSv4 8.8 (High), the flaw allows attackers to hijack user accounts via a broken OAuth2 implementation.

“Immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked,” the project maintainers confirmed in their disclosure.

Immich is a self-hosted, privacy-focused media management tool that lets users backup, organize, and view personal photos and videos. With its intuitive web UI and seamless integration with mobile apps, it has become a go-to alternative to cloud-based services like Google Photos—especially for privacy-conscious users.

OAuth2 is a widely adopted standard for authentication. It includes a crucial security mechanism called the state parameter, which acts like a CSRF token. It ensures that the response from the identity provider (e.g., Google) matches the original request made by the user’s browser.

Unfortunately, Immich failed to validate this parameter, meaning any state value—even state=gibberish—would be accepted.

“The state parameter is similar to a csrf token… before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session,” the report explained.

The vulnerability becomes especially dangerous due to the way Immich uses its /user-settings endpoint as the OAuth redirect URI. This page automatically links accounts when a user is already authenticated.

That means an attacker can craft a malicious URL that looks like a normal OAuth login flow, but instead:

1. Logs the victim into the attacker’s OAuth account
2. Links the victim’s Immich account to the attacker’s credentials
3. Gives the attacker persistent access to the victim’s data

A simple hidden iframe or shortened link is all that’s needed to trigger the attack.

“If someone has an Immich instance with a public oauth provider (like Google), an attacker can… embed a hidden iframe in a webpage or even just send the victim a forged oauth login url,” the advisory states.

The flaw affects all Immich instances using public OAuth2 providers like Google, GitHub, or any generic SSO setup—whether self-hosted behind Cloudflare or accessible directly on the web.

In the worst-case scenario, an attacker could hijack an admin account, reconfigure the OAuth provider to their own, and lock everyone else out by disabling password login and terminating active sessions.

“If the attacker manages to hijack an admin account this way, they could… start logging into arbitrary accounts and lock out the admin by disabling password login,” the report warns.

All versions prior to v1.132.0 are affected. The vulnerability is patched in Immich version 1.132.0.

Related Posts:

• Amazon Redshift Alert: OAuth2 Vulnerability Exposes Data
• CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk
• Malicious Firefox Extensions Unmasked: Fake Games, VPNs, & Calendar Tools Hijack Traffic, Steal Crypto & OAuth Tokens
• Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
• Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks