CVE-2026-28689
Received Received - Intake

Symlink Race Vulnerability in ImageMagick Enables Unauthorized Access

Vulnerability report for CVE-2026-28689, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-07-06
AI Q&A
2026-03-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-41 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker with local access to bypass file path policy restrictions in ImageMagick by exploiting a symlink race condition.

The impact includes unauthorized reading or writing of files that should be protected, leading to potential confidentiality and integrity breaches.

Specifically, the CVSS score indicates high impact on confidentiality and integrity, meaning sensitive data could be exposed or altered without permission.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, where the issue has been fixed.

This update addresses the Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the path policy authorization mechanism, preventing attackers from bypassing policy restrictions via symlink manipulation.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28689 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue is a Time-of-Check to Time-of-Use (TOCTOU) symlink race condition in the "path" policy authorization mechanism.'}, {'type': 'paragraph', 'content': 'ImageMagick checks authorization on file paths before opening or using files. However, an attacker can exploit a symlink swap between the time the check is done and the time the file is actually used. This allows bypassing policy restrictions that should deny access.'}, {'type': 'paragraph', 'content': 'As a result, unauthorized read or write access to files can occur, violating intended security policies.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart