starred/immich

Fork 0

mirror of https://github.com/immich-app/immich.git synced 2026-03-02 22:57:45 -05:00

[VULNERABILITY - Information Disclosure] Faces tagged by other users are suggested when merging faces #1533

New issue

Closed

opened 2026-02-20 00:10:58 -05:00 by deekerman · 1 comment

deekerman commented

2026-02-20 00:10:58 -05:00

Owner

Originally created by @thariq-shanavas on GitHub (Oct 29, 2023).

The bug

This appears to be a low-severity vulnerability, so I am posting it publicly instead of emailing Alex.

When I attempt to assign a name to a face, the suggested names include faces tagged by other users.
In the example below, my (admin) account does not have any pictures of Jason Oberbreckling, but another user does. I do have a handful of pictures of Obama on my account - I upload one every time I update the server to make sure everything is working :P

The OS that Immich Server is running on

Debian 12

Version of Immich Server

1.83.0

Version of Immich Mobile App

Platform with the issue

Server
Web
Mobile

Your docker-compose.yml content

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: [ "start.sh", "immich" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.yml
    #   service: hwaccel
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always
    deploy:
      resources:
        limits:
          cpus: '3.5'

#  machine learning is hosted on the cloud, connected via wireguard.
#  immich-machine-learning:
#    container_name: immich_machine_learning
#    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
#    volumes:
#      - model-cache:/cache
#    env_file:
#      - .env
#    restart: always

  immich-web:
    container_name: immich_web
    image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release}
    env_file:
      - .env
    restart: always

  typesense:
    container_name: immich_typesense
    image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd
    environment:
      - TYPESENSE_API_KEY=${TYPESENSE_API_KEY}
      - TYPESENSE_DATA_DIR=/data
      # remove this to get debug messages
      - GLOG_minloglevel=1
    volumes:
      - tsdata:/data
    restart: always
    deploy:
      resources:
        limits:
          cpus: '2.0'


  redis:
    container_name: immich_redis
    command: redis-server --loglevel warning
    image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3
    restart: always

  database:
    container_name: immich_postgres
    image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441
    env_file:
      - .env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release}
    environment:
      # Make sure these values get passed through from the env file
      - IMMICH_SERVER_URL
      - IMMICH_WEB_URL
    ports:
      - 2283:8080
    depends_on:
      - immich-server
      - immich-web
    restart: always

volumes:
  pgdata:
  model-cache:
  tsdata:

Your .env content

NA

Reproduction steps

1. Upload picture with a new face
2. Click on identified face from sidebar
3. Start typing in name
...

Additional information

No response

Originally created by @thariq-shanavas on GitHub (Oct 29, 2023). ### The bug This appears to be a low-severity vulnerability, so I am posting it publicly instead of emailing Alex. When I attempt to assign a name to a face, the suggested names include faces tagged by other users. In the example below, my (admin) account does not have any pictures of Jason Oberbreckling, but another user does. I do have a handful of pictures of Obama on my account - I upload one every time I update the server to make sure everything is working :P ![image](https://github.com/immich-app/immich/assets/19273195/e6a13d41-916d-4186-8ca1-9fe71360a3a6) ### The OS that Immich Server is running on Debian 12 ### Version of Immich Server 1.83.0 ### Version of Immich Mobile App NA ### Platform with the issue - [ ] Server - [X] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: [ "start.sh", "immich" ] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env depends_on: - redis - database - typesense restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} # extends: # file: hwaccel.yml # service: hwaccel command: [ "start.sh", "microservices" ] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env depends_on: - redis - database - typesense restart: always deploy: resources: limits: cpus: '3.5' # machine learning is hosted on the cloud, connected via wireguard. # immich-machine-learning: # container_name: immich_machine_learning # image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} # volumes: # - model-cache:/cache # env_file: # - .env # restart: always immich-web: container_name: immich_web image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} env_file: - .env restart: always typesense: container_name: immich_typesense image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd environment: - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - TYPESENSE_DATA_DIR=/data # remove this to get debug messages - GLOG_minloglevel=1 volumes: - tsdata:/data restart: always deploy: resources: limits: cpus: '2.0' redis: container_name: immich_redis command: redis-server --loglevel warning image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 restart: always database: container_name: immich_postgres image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441 env_file: - .env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} volumes: - pgdata:/var/lib/postgresql/data restart: always immich-proxy: container_name: immich_proxy image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} environment: # Make sure these values get passed through from the env file - IMMICH_SERVER_URL - IMMICH_WEB_URL ports: - 2283:8080 depends_on: - immich-server - immich-web restart: always volumes: pgdata: model-cache: tsdata: ``` ### Your .env content ```Shell NA ``` ### Reproduction steps ```bash 1. Upload picture with a new face 2. Click on identified face from sidebar 3. Start typing in name ... ``` ### Additional information _No response_

deekerman

2026-02-20 00:10:58 -05:00

closed this issue
added the
changelog:security
label

deekerman commented

2026-02-20 00:10:59 -05:00

Author

Owner

@alextran1502 commented on GitHub (Oct 29, 2023):

cc: @martabal 😛

@alextran1502 commented on GitHub (Oct 29, 2023): cc: @martabal 😛

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/immich#1533

No description provided.

Rows
Columns