CVE-2026-55628
Received Received - Intake

Path Traversal in GitHub Enterprise Server

Vulnerability report for CVE-2026-55628, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
image_magick image_magick to 7.1.2-26 (exc)
image_magick image_magick to 6.9.13-51 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55628 is a vulnerability in ImageMagick's -concatenate operation where security policy checks are missing. This flaw allows unauthorized reading from and writing to file paths that should be restricted by the security policy. It affects versions prior to 7.1.2-26 and 6.9.13-51. The issue is due to improper authorization, allowing user input to control file operations without proper checks.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive files and potential modification of files on the system. Since the -concatenate operation can read and write to disallowed paths, an attacker with local access could exploit this to access confidential data or alter files, impacting system integrity and confidentiality.

Detection Guidance

This vulnerability involves the -concatenate operation in ImageMagick missing policy checks, allowing unauthorized reading and writing to restricted file paths.

To detect if your system is vulnerable, first check the installed ImageMagick version to see if it is prior to 7.1.2-26 or 6.9.13-51.

  • Run the command: `convert --version` or `magick --version` to determine the installed ImageMagick version.

Additionally, you can audit usage of the -concatenate operation in scripts or commands to see if it is being used in a way that might bypass security policies.

  • Search for usage of -concatenate in your system with commands like: `grep -r -- '-concatenate' /path/to/scripts`.
Mitigation Strategies

The primary mitigation is to upgrade ImageMagick to version 7.1.2-26 or later, or 6.9.13-51 or later, where the vulnerability has been fixed.

Until the upgrade can be performed, restrict or monitor the use of the -concatenate operation to prevent unauthorized file access.

Review and tighten security policies related to file path access in ImageMagick configurations to limit potential exploitation.

Compliance Impact

The vulnerability allows unauthorized reading and writing to file paths normally restricted by security policies, which can lead to unauthorized data access. This unauthorized access to sensitive data could potentially result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on data confidentiality and access.

Since the flaw involves missing authorization checks and external control of file paths, it increases the risk of data breaches or improper data handling, both of which are critical concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart