CVE-2026-28689 Overview
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in ImageMagick, the widely-used open-source software for editing and manipulating digital images. The flaw exists in the domain="path" authorization mechanism, where policy checks are performed before the final file open/use operation. An attacker with local access can exploit this race condition by swapping a symlink between the check-time and use-time, effectively bypassing policy-denied read/write operations.
Critical Impact
Local attackers can bypass ImageMagick's security policies to read or write files that should be protected, potentially exposing sensitive data or enabling unauthorized modifications to critical system files.
Affected Products
- ImageMagick versions prior to 7.1.2-16
- ImageMagick versions prior to 6.9.13-41
- Systems using ImageMagick with path-based policy configurations
Discovery Timeline
- 2026-03-10 - CVE-2026-28689 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-28689
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The root issue lies in ImageMagick's path authorization mechanism which validates file access permissions at one point in time but then uses the file at a later point, creating a window of opportunity for exploitation.
The attack requires local access and involves a race condition where the attacker must successfully swap a symbolic link between when ImageMagick checks the path policy and when it actually opens or uses the file. While the attack complexity is considered high due to the timing requirements, successful exploitation can lead to significant confidentiality and integrity impacts.
Root Cause
The vulnerability stems from a fundamental design flaw in how ImageMagick handles file path authorization. The security check and the file operation are not atomic, meaning they occur as separate, distinct operations. This separation creates a race condition window where the file system state can change between the check and the use.
Specifically, when ImageMagick processes an image operation:
- The path authorization policy is evaluated against the requested file path
- A time gap exists between the authorization check and actual file access
- During this gap, an attacker can replace a legitimate file with a symlink pointing to a policy-denied target
Attack Vector
The attack vector requires local access with low privileges. An attacker must be able to create symbolic links on the system and time the symlink swap precisely to exploit the race condition. The exploitation scenario involves:
- Creating a legitimate file that passes ImageMagick's path policy check
- Monitoring for ImageMagick operations on that file
- Rapidly replacing the legitimate file with a symlink pointing to a protected resource
- The symlink swap must occur after the policy check but before the file is actually opened
Due to the timing requirements, this attack may require multiple attempts to succeed. Automation through scripting can increase the attack success rate by repeatedly attempting the symlink swap during the vulnerable time window. The attack does not require user interaction and can be performed entirely by a local process with appropriate filesystem permissions.
Detection Methods for CVE-2026-28689
Indicators of Compromise
- Unusual symbolic link creation activity in directories where ImageMagick processes files
- Rapid file replacement or symlink swap operations detected through filesystem monitoring
- ImageMagick accessing files outside of expected policy-permitted directories
- Unexpected read or write operations to sensitive system files by ImageMagick processes
Detection Strategies
- Implement filesystem auditing to detect symlink creation in ImageMagick working directories
- Monitor for rapid file deletion and symlink creation patterns that may indicate race condition exploitation attempts
- Configure process monitoring to alert on ImageMagick accessing unexpected file paths
- Deploy file integrity monitoring on sensitive directories that could be targeted through policy bypass
Monitoring Recommendations
- Enable detailed logging for ImageMagick operations including file paths accessed
- Set up alerts for ImageMagick processes accessing files outside normal working directories
- Monitor system calls related to symlink operations in directories used by ImageMagick
- Implement anomaly detection for unusual patterns of file operations during image processing
How to Mitigate CVE-2026-28689
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-16 or later for the 7.x branch
- Upgrade ImageMagick to version 6.9.13-41 or later for the 6.x branch
- Restrict local access to systems running vulnerable ImageMagick versions
- Review and harden filesystem permissions in ImageMagick processing directories
Patch Information
ImageMagick has released security patches addressing this TOCTOU vulnerability. The fix is included in versions 7.1.2-16 and 6.9.13-41. Organizations should prioritize patching systems where ImageMagick is used to process untrusted content or where local users may have malicious intent.
For detailed information about the fix and additional security guidance, refer to the GitHub Security Advisory.
Workarounds
- Disable or restrict ImageMagick's path-based policy features until patching is possible
- Run ImageMagick processes in isolated environments (containers, sandboxes) with limited filesystem access
- Implement additional access controls at the filesystem level to prevent symlink creation in ImageMagick working directories
- Configure the nofollow mount option where feasible to prevent symlink traversal
# Example: Restrict ImageMagick to a dedicated processing directory
# Add to ImageMagick policy.xml to limit path access
# Location typically: /etc/ImageMagick-7/policy.xml or /etc/ImageMagick-6/policy.xml
# Restrict all paths by default, then explicitly allow safe directories
# <policymap>
# <policy domain="path" rights="none" pattern="*" />
# <policy domain="path" rights="read|write" pattern="/var/imagemagick/safe/*" />
# </policymap>
# Run ImageMagick in a restricted namespace (Linux)
unshare --mount --propagation private -- /bin/bash -c "mount --bind /dev/null /etc/passwd && convert input.png output.png"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
