Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick’s distributed pixel cache was originally designed without a challenge–response authentication model, allowing an attacker to read pixel data that the server accessed. This flaw can expose image contents to unauthorized parties, compromising confidentiality of image assets. The weakness is classified as CWE-200, an information disclosure vulnerability.

Affected Systems

The vulnerability affects all deployments of ImageMagick prior to versions 6.9.13‑48 and 7.1.2‑23. Users running older releases of ImageMagick, including any custom builds that enable the distributed pixel cache, are potentially impacted and should verify their current version.

Risk and Exploitability

The CVSS score of 4.1 indicates a moderate risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits in the wild. If the pixel cache server is exposed to the network, the attack vector is likely remote, as an adversary could connect to the server and retrieve pixel data. If the server is isolated, the risk may be limited to local or compromised hosts.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑48 or later, or 7.1.2‑23 or later, to enable challenge–response authentication for the distributed pixel cache.
  • If an upgrade is not immediately possible, disable the distributed pixel cache feature or restrict network access to the cache server to prevent unauthenticated connections.
  • Apply any vendor-supplied security patches and monitor ImageMagick releases for further updates or additional mitigations.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-2rgj-gx5x-f62w ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
History

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T16:14:35.393Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47165

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T23:16:48.037

Modified: 2026-06-11T15:15:54.900

Link: CVE-2026-47165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor