Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.
Published: 2026-02-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure
Action: Patch
AI Analysis

Impact

ImageMagick implements path-based security with policy rules such as /etc/* to deny access to sensitive files. Prior to 7.1.2-15 and 6.9.13-40, the policy matcher examines the unnormalized filename before the operating system resolves it. A malicious user can embed a path traversal sequence in the raw filename; ImageMagick will bypass the policy check, the OS will resolve the traversal, and the file is opened, allowing the attacker to read arbitrary local files. This flaw (CWE-22) provides local file disclosure, compromising confidentiality of any file reachable by the system.

Affected Systems

The vulnerability affects all ImageMagick installations before version 7.1.2-15 and 6.9.13-40. Systems running those earlier releases are at risk, regardless of the presence or strength of policy-secure.xml, because the bypass occurs before the policy is applied.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity. The EPSS score is lower than 1%, indicating a very small probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires local access to a process that runs ImageMagick on crafted image data; an attacker could trigger the read by providing a specially crafted image file or by compromising a user that processes untrusted images.

Generated by OpenCVE AI on April 17, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or later, or 6.9.13‑40 or later, which implements proper path normalization before policy evaluation.
  • Replace or update the policy‑secure.xml file to the latest official policy set that includes the enhanced path checks.
  • Add explicit deny rules for write operations in the policy file, ensuring that any path traversal cannot result in unintended file creation or modification.

Generated by OpenCVE AI on April 17, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4497-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6159-1 imagemagick security update
Github GHSA Github GHSA GHSA-8jvj-p28h-9gm7 ImageMagick: Policy bypass through path traversal allows reading restricted content despite secured policy
History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.
Title ImageMagick's policy bypass through path traversal allows reading restricted content despite secured policy
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:29:36.814Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25965

cve-icon Vulnrichment

Updated: 2026-02-26T15:29:28.983Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T02:16:01.167

Modified: 2026-02-25T11:54:18.593

Link: CVE-2026-25965

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T01:20:44Z

Links: CVE-2026-25965 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses