ImageMagick has a Path Policy TOCTOU symlink race bypass
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A TOCTOU race condition in ImageMagick's path policy check allows attackers to bypass read/write restrictions via symlink restrictions via a symlink swap.
Vulnerability: TOCTOU Race Condition in Path Policy Check
ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 contain a time-of-check time-of-use (TOCTOU) race condition in the domain="path" authorization mechanism. The policy check occurs before the final file open or use, but an attacker can swap a symlink between the check and the use, bypassing policy-denied read or write operations [1][2].
Exploitation
An attacker with the ability to create and modify symlinks on the filesystem (e.g., via a local account or a compromised process) can exploit this race condition. By rapidly swapping a symlink between a permitted path and a restricted path, the attacker can trick ImageMagick into reading or writing files that the policy intended to block. No special privileges beyond filesystem write access to the symlink location are required [3][4].
Impact
Successful exploitation allows an attacker to read or write arbitrary files that are otherwise denied by the ImageMagick security policy. This could lead to information disclosure (reading sensitive files) or arbitrary file write, potentially enabling further compromise of the system or data integrity [2][4].
Mitigation
The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 [1][2]. Users should upgrade to these versions or later. The fix addresses the race condition by ensuring the policy check is performed atomically with the file open operation [3][4].
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-28689
- Release Magick.NET 14.10.4 · dlemstra/Magick.NET
- Path Policy TOCTOU symlink race bypass
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2< 7.1.2-16, < 6.9.13-41+ 1 more
- (no CPE)range: < 7.1.2-16, < 6.9.13-41
- (no CPE)range: >= 7.0.0, < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-493f-jh8w-qhx3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28689ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.