CVE-2026-28689
Received Received - Intake
Symlink Race Vulnerability in ImageMagick Enables Unauthorized Access

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28689
EUVD
EUVD-2026-10381
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-41 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker with local access to bypass file path policy restrictions in ImageMagick by exploiting a symlink race condition.

The impact includes unauthorized reading or writing of files that should be protected, leading to potential confidentiality and integrity breaches.

Specifically, the CVSS score indicates high impact on confidentiality and integrity, meaning sensitive data could be exposed or altered without permission.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, where the issue has been fixed.

This update addresses the Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the path policy authorization mechanism, preventing attackers from bypassing policy restrictions via symlink manipulation.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28689 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue is a Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the "path" policy authorization mechanism.'}, {'type': 'paragraph', 'content': 'ImageMagick checks authorization on file paths before opening or using files. However, an attacker can exploit a symlink swap between the time the check is done and the time the file is actually used. This allows bypassing policy restrictions that should deny access.'}, {'type': 'paragraph', 'content': 'As a result, unauthorized read or write access to files can occur, violating intended security policies.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart