The Rollup Visualizer is accessible without login #2956

New Issue

OVERLORD · 2026-02-05T07:14:02+03:00

OVERLORD commented

2026-02-05 07:14:02 +03:00

Originally created by @noki2000 on GitHub (Apr 16, 2024).

The bug

Hello!

I noticed that the "Rollup Visualizer" is accessible even without a login - and not accessible only after passing the login page as it should probably be - therefore a potential breach of information might occur.

The OS that Immich Server is running on

Raspberry Pi OS

Version of Immich Server

v1.101.0

Version of Immich Mobile App

v1.101.0

Platform with the issue

Server
Web
Mobile

Your docker-compose.yml content

(nothing changed)
version: "3.8"

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.>
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: [ "start.sh", "immich" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
    restart: always

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5
    restart: always

  database:
    container_name: immich_postgres
    image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

volumes:
  pgdata:
  model-cache:

Your .env content

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=./library

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
DB_PASSWORD=<#password>

# The values below this line do not need to be changed
###################################################################################
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

REDIS_HOSTNAME=immich_redis

Reproduction steps

Without being logged in, go to your Immich instance at following address:

<ip>:2283/stats

Relevant log output

No response

Additional information

No response

Originally created by @noki2000 on GitHub (Apr 16, 2024). ### The bug Hello! I noticed that the "Rollup Visualizer" is accessible even without a login - and not accessible only after passing the login page as it should probably be - therefore a potential breach of information might occur. <img width="1428" alt="Bildschirmfoto 2024-04-16 um 19 32 25" src="https://github.com/immich-app/immich/assets/161160694/d44cc86a-b10f-4d42-8aa5-3e912b146cc4"> ### The OS that Immich Server is running on Raspberry Pi OS ### Version of Immich Server v1.101.0 ### Version of Immich Mobile App v1.101.0 ### Platform with the issue - [X] Server - [X] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML (nothing changed) version: "3.8" # # WARNING: Make sure to use the docker-compose.yml of the current release: # # https://github.com/immich-app/immich/releases/latest/download/docker-compose.> # # The compose file on main may not be compatible with the latest release. # name: immich services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: [ "start.sh", "immich" ] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - /etc/localtime:/etc/localtime:ro env_file: - .env ports: - 2283:3001 depends_on: - redis - database restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding # file: hwaccel.transcoding.yml # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding command: [ "start.sh", "microservices" ] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - /etc/localtime:/etc/localtime:ro env_file: - .env depends_on: - redis - database restart: always immich-machine-learning: container_name: immich_machine_learning # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag. # Example tag: ${IMMICH_VERSION:-release}-cuda image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration # file: hwaccel.ml.yml # service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable volumes: - model-cache:/cache env_file: - .env restart: always redis: container_name: immich_redis image: redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5 restart: always redis: container_name: immich_redis image: redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5 restart: always database: container_name: immich_postgres image: tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} volumes: - pgdata:/var/lib/postgresql/data restart: always volumes: pgdata: model-cache: ``` ### Your .env content ```Shell # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables # The location where your uploaded files are stored UPLOAD_LOCATION=./library # The Immich version to use. You can pin this to a specific version like "v1.71.0" IMMICH_VERSION=release # Connection secret for postgres. You should change it to a random password DB_PASSWORD=<#password> # The values below this line do not need to be changed ################################################################################### DB_HOSTNAME=immich_postgres DB_USERNAME=postgres DB_DATABASE_NAME=immich REDIS_HOSTNAME=immich_redis ``` ### Reproduction steps ```bash Without being logged in, go to your Immich instance at following address: <ip>:2283/stats ``` ### Relevant log output _No response_ ### Additional information _No response_

OVERLORD added the good first issue 🖥️web changelog:skip labels 2026-02-05 07:14:02 +03:00

OVERLORD closed this issue

2026-02-05 07:14:09 +03:00

OVERLORD commented

2026-02-05 07:14:11 +03:00

@bo0tzz commented on GitHub (Apr 16, 2024):

This is just build info which would be the same for any installation, there's no sensitive info being leaked at all right? It'd probably still be good to remove it since it's unnecessary anyways.

@bo0tzz commented on GitHub (Apr 16, 2024): This is just build info which would be the same for any installation, there's no sensitive info being leaked at all right? It'd probably still be good to remove it since it's unnecessary anyways.

OVERLORD commented

2026-02-05 07:14:14 +03:00

@noki2000 commented on GitHub (Apr 16, 2024):

Right, no sensitive information is leaked. But as you suggest, @bo0tzz, deleting (or perhaps putting it behind the login page) would be the way to go.

@noki2000 commented on GitHub (Apr 16, 2024): Right, no sensitive information is leaked. But as you suggest, @bo0tzz, deleting (or perhaps putting it behind the login page) would be the way to go.

OVERLORD commented

2026-02-05 07:14:17 +03:00

@jrasm91 commented on GitHub (Apr 17, 2024):

I'd recommend we just have npm run build vs npm run build:stats. The latter is the only command that produces this file.

@jrasm91 commented on GitHub (Apr 17, 2024): I'd recommend we just have `npm run build` vs `npm run build:stats`. The latter is the only command that produces this file.

OVERLORD referenced this issue

2026-02-05 14:11:22 +03:00

[PR #3035] fix(mobile): rework album detail page header #9824

Sign in to join this conversation.

Branches Tags

main

uhthomas/feat-mobile-search-results

feat/library-offline-stats

chore/translations

uhthomas/fix-mobile-search-results

release/next

renovate/flutter

feat/splash-screen-error

feat/mobile-edit-2-server-sync-entity

update-pwa

refactor/star-rating

uhthomas/feat-sort-smart-search

renovate/github-cqlabs-homebrew-dcm-1.x

push-vxwxqoulmxun

push-zlzxxyywnmtr

chore/deduplicate-storage-template-example

fix/download-button

fix/maintenance-reload

feat/video-player

feat/mobile-editing

feat/use-native-clients

refactor/remove-replace-with-upload

push-snrprxmlposz

push-okmnxsumoyzr

uhthomas/chore-mobile-maplibre

uhthomas/mobile-fix-asset-details-album-pop

feat/crawl-wrapper

feat/open-in-browser

push-skvzqoozqkpl

feat/custom-date-range

feat/edit-filters

fix/locale-settings-desc

push-xyozownmuwqp

push-lvyturrtwkrq

push-mvnsqpxklmnu

push-ztrmyrpuwvow

push-rsywxvptwxuv

push-pvvtwywwqzvy

postgres-socketio

feat/pg-queue

proposal/zod

refactor/asset-upload

feat/integrity-checks-izzy

renovate/connectivity_plus-7.x

better-project-structure

uhthomas/mobile-feat-asset-viewer-details

fix/ml-rocm-build

fix/25803

feat/asset-file-apis

midzelis/wip

push-zpwsovysllvn

push-nwxlpmyzkyrl

feature/bottom-buttons-order

sqlite_thumbs

fix-keep-correct-ios-shared-album-asset

fix-memory-generation-and-display

push-vpxwmwwxwnvw

fix-migration-width-height

revert/prettier-translations

shared-deep-link-handler

feat/thumbnail-native-clients

feat/platform-clients

fix/foreground-cloud-sync

filter-by-person

feat/csp

refactor/sidebar

fix/disable-editing

fix/view-timeline-deeplink

image-zoom-on-slow-connection

fix-consider-dar-for-video-dimension

fix/merged-edited-assets

open-api-fix

feat/create-job-with-dto

use-toast-primary

feat/vitest-4

feat/ios-fastlane-match

match-signing

fix-update-time-update-timeline

feat/modal-routes

feat/panorama-tiles

feature/mobile-view-asset-owner

feat/system-settings

feature/show-activity-count

better-info-in-asset-viewer

fix/all-people-count

feat/location-favorites

feature/rearrange-buttons-2

fix/download-storage-template

feat/kb-shortcuts-mobile

fix/people-count

push-qolzzzzxrvvn

chore/originals-in-asset-files

feat/asset-size-columns

ben/tree-a11y

new-search-filter-ui

refactor/expectSelectedReadonly

refactor/mobile-grdb

push-qvuktpxmkknu

feat/mobile-native-local-sync

refactor/timeline_ops

fix/scrubber_end

feat/version.txt

feat/context-menus

feat/server-chunked-uploads

refactor/virtualsegment

refactor/rename_daymonth_groups

fix/restrict-android-bg-worker

feat/android-periodic-worker

fix-remote-sync-clean-up

refactor/timeline_move_ops

fix/timeline_split_selectable

feat/keyboard_actions_help_modal

feat/static_frontend

feat/notification-warnign-android

feat/plugins2

feat/plugins

test/create-workflow-token-action

fix/docs-force

debug/search-result-similarity

debug/cf-chunked-uploads

feat/eslint_rule

feat/search-filter-album/web

refactor/timeline_photostream

refactor/timelineasset_asset

feat/session-permissions

feat/timeline_photostream_assetnav

feat/timeline_minor_optimize

feat/timeline_perf_nocomp

feat/timeline_search_results_actions

feat/timeline_search_results_page

fix/timeline_padding

fix/timeline_search_reactivity_warnings

feat/timeline_scrollbar

feat/timeline_stream_withviewer

fix/timeline_back_forth_nav

refactor/timeline_photostream_component

fix/generated-files-checks

fix/locate-button-local

chore/base-image-mimalloc

refactor/timeline_assetlayout

refactor/timeline_selectable

refactor/timeline_aware_actions

refactor/timeline_monthsegment

feat/remove-old-pages

chore/deps-gradle

tmp_photostream

tmp/lcms

feat/mobile-dynamic-thumbnails

fix/mobile-finer-thumbnail-concurrency

refactor/timeline1

refactor/extract_photostream

refactor/rename_load_api

refactor/timeline2

refactor/timeline3

feat/multi-select-asset-viewer

feat-no-thumbhash-cache

refactor/asset_grid

feat/faster-access-checks

fix/18991

fix/19543

chore/temp-remove

fix/21419

feat/mobile-hdr-images

chore/update-mise-lockfile

feat/mise-server-checks

feat/mise-ci

feat/windows-2025

feat/dev_cli

refactor/mobile-migrate-clients

fix/map-theme

fix/require-checkbox

chore/use_swc

feat/efficient-thumbnail-decoding

refactor/mobile-thumbhash

refactor/mobile-thumbhash-new

feat/beta-background-upload

fix/beta-timeline-memories-setting

fix/failed-uploads-not-removed

feat/mobile-shared-album

feat/groups

drift-map-page

drift-auth-user-sync

fix/disable-memory

feat/add-to-album-action

edit-date-time-action

drift-people-page

sqlite-remove-isIn

chore/required-reviewers

refact/asset-manager

fix/folder-sort

pnpm

feat/widget-multiple-server-urls

chore/medium-tests-dbname

fix/web-no-iterator-find

fix/map-pan-interruption

track-livephotos

timeline_events

chore/oxlint-migration

feat/maintenance-worker

feat/dav

chore/demo-snapshot

refactor/server-side-dedupe

feat/integrity-checks

dev/recognition-eval

lighter_buckets_test

perf/postgres-queue

postgres-queue

focus_rings

refactor/web-stores-1

refactor/add-to-taken

feat/sort-places

vet

tmp/demo-snapshot-preview

fix/server-migration-file-extension

fix/asset-update-race-condition

rknn-toolkit-lite2

refactor/mobile-split-up-search-page

feature/Add-rocm-support-for-machine-learning

feat/rocm

chore/async-hash-file

feat/shared-link-view-count

feat/rotation

feat/graphql

feat/job-ids

feat/ignore-library-permission-error

feat/docker-compose-builder

feat/kysely-typeorm

mobile/onboarding

no-video-player

fix/server-qsv-output-format

chore/server-geodata-tweaks

mobile/native-video-player-no-hero

feat/xxhash

fix/docs-concurrency

feat/local-tileserver

refactor/exif-orientation

original-path-infix

refactor/mobile/login-form-1

feat/server-editor-endpoints

fix/server-qsv-vbr

fix-mobile-db-problems

feat/ml-armnn-conversion

feat/mobile/backup-with-album-info

feat/fast-initial-sync-1

chore/handle-output_dims

feat/unassign-faces

feat/shortcuts-on-asset-grid

feat/capacitor-mobile-app-poc

feat/server-nvenc-hw-decoding

fix/mobile-fetch-non-archive

web/automation-ui

feat/mobile-server-endpoint-save-dropdown

object-storage

feat/memories-animations

dev/metrics

ml/tflite

feat/ml-export-cli

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: immich-app/immich#2956