logo

Database

Improper authorization control for web services In magick.net-q16-arm64

Description

ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams:

<policy domain="path" rights="none" pattern="-"/>

However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”.

To resolve this, users can add the following change to their security policy.

<policy domain="path" rights="none" pattern="fd:*"/>

And this will also be included in ImageMagick's more secure policies by default.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 21

10

Aliases

1. CVE-2026-259662. NVD-2026-259663. OSV-2026-259664. OSV-DEBIAN-2026-259665. GHSA-xwc6-v6g8-pw2h6. GCVE-2026-259667. SECURITY-TRACKER-CVE-2026-25966

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h2. https://github.com/ImageMagick/ImageMagick/commit/8d4c67a90ae458fb36393a05c0069e9123ac174c3. https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.