Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Published: 2026-06-10
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick, a widely used open‑source image manipulation library, contains a flaw in its filename parsing logic that allows an attacker to evade the library's security policy through the use of a symbolic link. This policy bypass can grant read access to files that should be prohibited, leading to information disclosure. The weakness maps to CWE‑200 (Information Exposure), CWE‑22 (Path Traversal), and other related weaknesses such as CWE‑78 and CWE‑863 cited by the CNA.

Affected Systems

The vulnerability affects all installations of ImageMagick prior to versions 6.9.13‑48 and 7.1.2‑24. Any system that relies on these older releases and processes images supplied by untrusted users is potentially impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves supplying a specially crafted filename or symbolic link that triggers the misparsed policy enforcement. Successful exploitation requires the application to invoke ImageMagick’s processing routines on the supplied input, so systems that restrict image handling or validate filenames before processing may inherently mitigate the risk.

Generated by OpenCVE AI on June 10, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all ImageMagick installations to version 6.9.13‑48 or newer, or 7.1.2‑24 or newer, where the policy parsing bug is fixed.
  • Reconfigure ImageMagick’s policy configuration to disallow symbolic links when processing untrusted files, ensuring that the library enforces the intended restrictions.
  • Implement input validation to reject or sanitize filenames that contain path traversal characters or reference privileged paths before the image is handed to ImageMagick.

Generated by OpenCVE AI on June 10, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Title ImageMagick: Policy Bypass can read disallowed files
Weaknesses CWE-200
CWE-22
CWE-78
CWE-863
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T22:00:26.685Z

Reserved: 2026-05-28T03:42:34.341Z

Link: CVE-2026-49219

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:49.637

Modified: 2026-06-10T23:16:49.637

Link: CVE-2026-49219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:00:12Z

Weaknesses