CVE-2026-41247 - elFinder ImageMagick bg command injection

elFinder versions before 2.1.67 can pass the user-controlled resize background-color parameter into ImageMagick CLI command construction without sufficient validation and escaping. When the resize command is enabled, the ImageMagick CLI backend is used, and the vulnerable path is reachable by untrusted users, this can become command execution as the web server process.

The key exposure question is configuration, not just package presence. A site that vendors elFinder but disables resize handling or uses a non-CLI image backend may have lower immediate risk, while an authenticated or public file manager that allows image resize through ImageMagick CLI should be treated as high priority.

When to use it

Use this recipe when a repository deploys elFinder, CMS/admin file managers, or ImageMagick-backed image transforms that accept user-controlled resize options. It is designed for source-code remediation, command-construction review, ImageMagick CLI hardening, file-manager exposure assessment, and evidence that background-color input cannot become shell or process arguments.

Inputs

  • studio-42/elfinder version, Composer lock state, vendored assets, image processing configuration, enabled commands, ImageMagick binary paths, and generated dependency reports.
  • Source/config paths that enable resize, call ImageMagick/convert/magick, pass bg or transform options, expose elFinder connectors, or override command construction.
  • Regression fixtures for benign colors, invalid colors, metacharacters, argv-based execution, disabled resize rollout, and no shell invocation.
  • Boundary evidence: file-manager users, writable paths, web-server privileges, uploaded media sensitivity, logs, and rollout owner.

Affected versions

  • Vulnerable: studio-42/elfinder <2.1.67
  • Fixed: studio-42/elfinder 2.1.67+
  • Affected surface: elFinder resize command with ImageMagick CLI image processing and reachable user-controlled bg background-color input.

Indicator-of-exposure

  • The repository installs, vendors, bundles, images, or deploys studio-42/elfinder <2.1.67.
  • elFinder is reachable by untrusted, low-privilege, tenant, CMS, helpdesk, admin-panel, or public users.
  • The resize command is enabled or not explicitly disabled.
  • Image processing is configured to use ImageMagick CLI, convert, magick, or shell-backed image transforms.
  • Request handlers, plugins, or wrappers pass background-color values, resize options, or image transform options from users into elFinder commands.

Quick checks:

rg -n "studio-42/elfinder|elFinder|elfinder|ImageMagick|imagick|convert|magick|resize|bg|background" .
composer show studio-42/elfinder
composer why studio-42/elfinder
find . -path "*/vendor/studio-42/elfinder*" -maxdepth 8 -type f | head
rg -n "elFinderVolume|imgLib|convertPath|magick|resize|disabled|commands|upload|connector" config public app src vendor

Remediation strategy

  • Upgrade studio-42/elfinder to 2.1.67+ everywhere this repository controls Composer manifests, lockfiles, vendored artifacts, images, or deployment bundles.
  • Regenerate composer.lock, plugin/package manifests, SBOMs, image metadata, and deployment render output.
  • If immediate upgrade is blocked, disable the resize command or disable the ImageMagick CLI backend until the fixed release is deployed.
  • If this repository owns an elFinder fork or patch layer, validate resize background colors against a strict allow-list of supported color formats and pass image operation arguments without shell interpolation.
  • Add regression tests proving malicious-looking background color strings are rejected or treated as data without executing shell metacharacters.
  • Review logs for unusual resize activity during the vulnerable window.

The prompt

You are remediating CVE-2026-41247 / GHSA-8q4h-8crm-5cvc, an elFinder
command-injection vulnerability in resize background-color handling when
ImageMagick CLI processing is enabled. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades elFinder or disables the
  unsafe resize/ImageMagick CLI path, adds regression coverage, and documents
  operator review, or
- TRIAGE.md if this repository does not own an affected elFinder deployment or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41247 / GHSA-8q4h-8crm-5cvc and directly related
  elFinder image-resize command execution risk.
- Treat uploaded files, user files, filesystem paths, web server credentials,
  CMS/admin sessions, access logs, and image metadata as sensitive.
- Do not execute exploit payloads, shell metacharacter probes, reverse shells,
  package installers, outbound network beacons, or attacker-shaped commands.
- Do not hand-edit vendored elFinder code unless no safe vendor upgrade is
  available and the patch is explicitly labeled temporary.
- Do not auto-merge.

## Steps

1. Inventory every elFinder deployment controlled by this repository:
   Composer manifests and locks, vendored `vendor/studio-42/elfinder` trees,
   CMS/plugin bundles, Dockerfiles, images, Helm charts, deployment scripts,
   SBOMs, connector routes, admin panels, and runbooks.
2. Determine every resolved `studio-42/elfinder` version. A target is
   vulnerable if it resolves below `2.1.67`.
3. Map reachable image-processing configuration:
   - elFinder connector routes and authentication;
   - enabled/disabled command lists;
   - whether `resize` is enabled;
   - configured image backend, especially ImageMagick CLI, `convert`, or
     `magick`;
   - custom wrappers that pass user-controlled `bg`, background, resize,
     rotate, crop, or image-transform options.
4. If this repository does not deploy or package elFinder, stop with
   `TRIAGE.md` listing files checked, scanner evidence, and the runtime owner.
5. Upgrade to `studio-42/elfinder 2.1.67+` through the normal dependency
   channel. Regenerate `composer.lock`, package metadata, SBOMs, image digests,
   and deployment render output.
6. If the fixed package cannot be deployed immediately, add temporary
   containment controlled by this repository:
   - disable the `resize` command;
   - disable ImageMagick CLI processing for elFinder;
   - restrict elFinder connector access to trusted administrators;
   - block the connector route at the edge until the fixed build is deployed.
7. If this repository owns a fork or patch layer, make the command boundary
   safe:
   - validate background colors against an explicit allow-list of supported
     formats;
   - reject anything outside that grammar before image processing;
   - pass ImageMagick arguments as argument arrays when supported;
   - avoid shell interpolation and shell wrappers;
   - ensure rejected values are not logged with full uploaded-file paths or
     user content.
8. Add safe regression tests that do not execute commands:
   - `studio-42/elfinder` resolves to `2.1.67+`;
   - resize rejects background-color values outside the supported grammar;
   - shell metacharacter-looking strings are treated as invalid data;
   - disabled resize commands cannot be invoked through connector routes;
   - connector access still requires intended authentication/authorization.
9. Add a PR body section named `CVE-2026-41247 operator actions` that states:
   - elFinder versions before and after the change;
   - whether `resize` and ImageMagick CLI were enabled;
   - which connector routes were reachable and by whom;
   - whether temporary containment remains in place;
   - which access logs, connector logs, image-processing logs, and upload
     directories should be reviewed for suspicious resize activity.
10. Run relevant validation: Composer install/update checks, lockfile checks,
    PHP tests, connector route tests, image processing tests with benign
    fixtures, lint/static analysis, image build, deployment diff, SBOM refresh,
    and dependency/security scans available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41247 in elFinder resize`.

## Stop conditions

- No affected elFinder deployment is controlled by this repository.
- A fixed elFinder release cannot be consumed and this repository cannot
  disable resize, disable ImageMagick CLI, or block the connector route.
- Verification would require executing shell payloads or touching real user
  uploads.
- The only apparent fix would delete uploaded user files or expose private
  file contents.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades elFinder, disables or hardens unsafe resize/ImageMagick CLI handling, adds argument-safety tests, and documents file-manager/operator review.
  • Or a TRIAGE.md file that lists inspected dependencies/config/connectors, owner, observed version, resize/ImageMagick boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not execute shell payloads, mutate production media, expose uploaded files, or weaken file access controls.

Verification - what the reviewer looks for

  • No controlled Composer lockfile, vendored package, image, SBOM, or deployment target resolves studio-42/elfinder <2.1.67.
  • elFinder resize and ImageMagick CLI exposure are explicitly inventoried.
  • Any temporary containment is deployable and clearly labeled.
  • Tests prove unsafe background-color values cannot reach shell command construction, without executing real payloads.
  • Operator actions cover log review and connector-route exposure without exposing uploaded files or private paths.

Watch for

  • Updating composer.json while composer.lock, vendored package bundles, CMS plugin archives, or container layers still carry the vulnerable version.
  • Disabling resize in one connector while another connector route still allows image transforms.
  • Assuming Imagick extension usage is equivalent to ImageMagick CLI usage without checking actual elFinder configuration.
  • Tests that call real convert or magick with attacker-shaped strings instead of asserting validation and argument construction behavior safely.
  • Logging full uploaded-file paths, user filenames, or image metadata while adding validation errors.

References