CVE-2026-28689

A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A time-of-check to time-of-use (TOCTOU) vulnerability exists where authorization for a file path is checked before the file is finally opened or used. A local attacker can exploit this by performing a symlink swap between the check-time and use-time, bypassing policy-denied read/write operations. This can lead to information disclosure and unauthorized modification of files.