CVE-2026-56369 MEDIUM

CVE-2026-56369: ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage

Vendor Imagemagick
Product ImageMagick
Weakness CWE-323
Published June 30, 2026
Last update July 1, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated