<Vulnerability name="CVE-2026-55628">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-01T18:16:23</PublicDate>
    <Bugzilla id="2496134" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496134" xml:lang="en:us">
ImageMagick: ImageMagick: Unauthorized file access due to missing policy checks in concatenate operation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-1220</CWE>
    <Details xml:lang="en:us" source="Mitre">
In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ImageMagick. The `-concatenate` operation, used for combining images, lacks proper security policy checks. This oversight could allow an attacker to read from or write to file paths that should otherwise be restricted by the security policy. This could lead to unauthorized access to sensitive system resources.
    </Details>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55628
https://nvd.nist.gov/vuln/detail/CVE-2026-55628
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-82mp-vp5c-9pf7
    </References>
</Vulnerability>