{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28689", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-09T21:39:13.731Z", "dateUpdated": "2026-03-11T03:56:29.129Z"}, "containers": {"cna": {"title": "ImageMagick has a Path Policy TOCTOU symlink race bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-16", "status": "affected"}, {"version": "< 6.9.13-41", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:39:13.731Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain=\"path\" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "source": {"advisory": "GHSA-493f-jh8w-qhx3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28689"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:29.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:56:31.154119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:56:35.671Z"}}], "cna": {"title": "ImageMagick has a Path Policy TOCTOU symlink race bypass", "source": {"advisory": "GHSA-493f-jh8w-qhx3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.1.2-16"}, {"status": "affected", "version": "< 6.9.13-41"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain=\"path\" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T21:39:13.731Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28689", "state": "PUBLISHED", "dateUpdated": "2026-03-10T15:56:39.572Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T21:39:13.731Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFFB7C48-4211-4215-9C0B-D285B8E09CF1", "versionEndExcluding": "6.9.13-41", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "865783BD-5A33-4D05-AF99-E6EFE76414D1", "versionEndExcluding": "7.1.2-16", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain=\"path\" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."}], "id": "CVE-2026-28689", "lastModified": "2026-03-12T14:46:19.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T07:43:43.963", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Information disclosure and unauthorized modification via symlink TOCTOU vulnerability", "id": "2445891", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445891"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A time-of-check to time-of-use (TOCTOU) vulnerability exists where authorization for a file path is checked before the file is finally opened or used. A local attacker can exploit this by performing a symlink swap between the check-time and use-time, bypassing policy-denied read/write operations. This can lead to information disclosure and unauthorized modification of files."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-28689", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-03-09T21:39:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28689\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28689\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3"], "statement": "This MODERATE impact vulnerability in ImageMagick allows a Time-of-Check to Time-of-Use (TOCTOU) symlink race. An attacker could exploit this to bypass path policy restrictions, potentially leading to unauthorized read or write access to files. This affects Red Hat Enterprise Linux and Community Projects that include ImageMagick.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-41)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-16T10:08:29.463721+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to at least 7.1.2\u201116 or 6.9.13\u201141, which eliminates the race condition.", "If an immediate upgrade is not possible, modify the policy.xml configuration to disallow symbolic links in the directories used for image processing, hardening the path policy against TOCTOU swaps.", "Run image processing duties in a minimal\u2011privilege, isolated service so that even if a file\u2011access bypass occurs, the impact is contained."], "summary": {"action": "Patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "All installations of ImageMagick earlier than version 7.1.2\u201116 and 6.9.13\u201141 are affected. These versions are widely used in web servers, content management systems, and automated image processing pipelines. Any environment that processes external images with these versions is at risk.", "description_and_impact": "ImageMagick contains a time\u2011of\u2011check to time\u2011of\u2011use race condition in its path policy enforcement. An attacker can replace a file with a symlink after the policy has been checked but before the file is opened, allowing the software to read or write files outside the intended directory. The flaw is identified as a race condition (CWE\u2011367) and an improper path restriction (CWE\u201159) that can lead to disclosure or modification of protected data. The vulnerability does not give code execution but permits unauthorized access to filesystem objects. ", "risk_and_exploitability": "The CVSS score of 6.3 reflects moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at the time of assessment, and the flaw is not currently listed in the CISA KEV database. Based on the description, it is inferred that exploitation may involve providing malicious image files or manipulating the image processing workflow to trigger the race condition, but this is not explicitly stated in the input; it is a logical deduction from the described TOCTOU behavior."}}}}, "created": "2026-03-10T14:06:50.614152+00:00", "updated": "2026-04-16T10:15:26.109353+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}