Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Published: 2026-03-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch
AI Analysis

Impact

ImageMagick contains a time‑of‑check to time‑of‑use race condition in its path policy enforcement. An attacker can replace a file with a symlink after the policy has been checked but before the file is opened, allowing the software to read or write files outside the intended directory. The flaw is identified as a race condition (CWE‑367) and an improper path restriction (CWE‑59) that can lead to disclosure or modification of protected data. The vulnerability does not give code execution but permits unauthorized access to filesystem objects.

Affected Systems

All installations of ImageMagick earlier than version 7.1.2‑16 and 6.9.13‑41 are affected. These versions are widely used in web servers, content management systems, and automated image processing pipelines. Any environment that processes external images with these versions is at risk.

Risk and Exploitability

The CVSS score of 6.3 reflects moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at the time of assessment, and the flaw is not currently listed in the CISA KEV database. Based on the description, it is inferred that exploitation may involve providing malicious image files or manipulating the image processing workflow to trigger the race condition, but this is not explicitly stated in the input; it is a logical deduction from the described TOCTOU behavior.

Generated by OpenCVE AI on April 16, 2026 at 10:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to at least 7.1.2‑16 or 6.9.13‑41, which eliminates the race condition.
  • If an immediate upgrade is not possible, modify the policy.xml configuration to disallow symbolic links in the directories used for image processing, hardening the path policy against TOCTOU swaps.
  • Run image processing duties in a minimal‑privilege, isolated service so that even if a file‑access bypass occurs, the impact is contained.

Generated by OpenCVE AI on April 16, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6169-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-493f-jh8w-qhx3 ImageMagick has a Path Policy TOCTOU symlink race bypass
History

Thu, 12 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title ImageMagick has a Path Policy TOCTOU symlink race bypass
Weaknesses CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:29.129Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28689

cve-icon Vulnrichment

Updated: 2026-03-10T15:56:35.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:43:43.963

Modified: 2026-03-12T14:46:19.103

Link: CVE-2026-28689

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:39:13Z

Links: CVE-2026-28689 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses