Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick’s distributed pixel cache was originally designed without a challenge–response authentication model, allowing an attacker to read pixel data that the server accessed. This flaw can expose image contents to unauthorized parties, compromising confidentiality of image assets. The weakness is classified as CWE-200 (Information Disclosure) and CWE-306 (Authentication Failure).

Affected Systems

The vulnerability affects all deployments of ImageMagick prior to versions 6.9.13‑48 and 7.1.2‑23. Users running older releases of ImageMagick, including any custom builds that enable the distributed pixel cache, are potentially impacted and should verify their current version.

Risk and Exploitability

The CVSS score of 4.1 indicates a moderate risk. The EPSS score of < 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploits in the wild. If the pixel cache server is exposed to the network, the attack vector is likely remote, as an adversary could connect to the server and retrieve pixel data. If the server is isolated, the risk may be limited to local or compromised hosts.

Generated by OpenCVE AI on June 12, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑48 or later, or 7.1.2‑23 or later, to enable challenge–response authentication for the distributed pixel cache.
  • If an upgrade is not immediately possible, disable the distributed pixel cache feature or restrict network access to the cache server to prevent unauthenticated connections.
  • Apply any vendor-supplied security patches and monitor ImageMagick releases for further updates or additional mitigations.

Generated by OpenCVE AI on June 12, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-2rgj-gx5x-f62w ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge–response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T16:14:35.393Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47165

cve-icon Vulnrichment

Updated: 2026-06-11T14:02:53.324Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:48.037

Modified: 2026-06-11T18:42:27.697

Link: CVE-2026-47165

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-10T21:50:30Z

Links: CVE-2026-47165 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T01:30:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-306

    Missing Authentication for Critical Function