Primary

Context

ImageMagick Path Policy Symlink Race Vulnerability Bypassing Authorization Checks

Vulnerability

Patched

A vulnerability in ImageMagick prior to versions 7.1.2-16 and 6.9.13-41 allows for a symlink race attack that bypasses domain="path" authorization checks. The issue arises because the authorization is verified before the final file is opened or used, creating a window of opportunity for a malicious actor to swap a symlink and exploit policy-denied read or write operations.

Impact

Exploitation of this vulnerability could lead to unauthorized read or write access to files, bypassing ImageMagick's intended file handling policies.

Remediation

Users can upgrade to ImageMagick versions 7.1.2-16 or 6.9.13-41 to address this vulnerability.

Added: Mar 10, 2026, 7:48 AM

Updated: Mar 10, 2026, 7:48 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

1.3

exploitability

2.9

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

1.3

exploitability

2.9

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ImageMagick Path Policy Symlink Race Vulnerability Bypassing Authorization Checks

Vulnerability

Impact

Remediation

Affected Products

ImageMagick

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating