CVE-2026-28689
Symlink Race Vulnerability in ImageMagick Enables Unauthorized Access
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-41 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28689 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue is a Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the "path" policy authorization mechanism.'}, {'type': 'paragraph', 'content': 'ImageMagick checks authorization on file paths before opening or using files. However, an attacker can exploit a symlink swap between the time the check is done and the time the file is actually used. This allows bypassing policy restrictions that should deny access.'}, {'type': 'paragraph', 'content': 'As a result, unauthorized read or write access to files can occur, violating intended security policies.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to bypass file path policy restrictions in ImageMagick by exploiting a symlink race condition.
The impact includes unauthorized reading or writing of files that should be protected, leading to potential confidentiality and integrity breaches.
Specifically, the CVSS score indicates high impact on confidentiality and integrity, meaning sensitive data could be exposed or altered without permission.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, where the issue has been fixed.
This update addresses the Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the path policy authorization mechanism, preventing attackers from bypassing policy restrictions via symlink manipulation.