Skip to main content

Qvr Pro CVE-2026-22898

| EUVDEUVD-2026-13718 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-20 qnap
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.4.14
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2026-13718
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
CRITICAL 9.3

DescriptionCVE.org

A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.

We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later

AnalysisAI

QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.

Technical ContextAI

QVR Pro is QNAP's professional video recording and management solution, identified via CPE cpe:2.3:a:qnap_systems_inc.:qvr_pro. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), a root cause classification indicating that certain critical application functions lack proper authentication mechanisms. This suggests that one or more API endpoints, administrative functions, or system configuration interfaces within QVR Pro fail to validate user credentials before processing requests, allowing the application to treat unauthenticated requests as if they were legitimately authenticated. The absence of CVSS scoring in the advisory may indicate this is a pre-disclosure or preliminary report, though the severity is evident from the authentication bypass nature and remote attack vector.

RemediationAI

Immediately upgrade QVR Pro to version 2.7.4.14 or later as provided by QNAP (see security advisory at https://www.qnap.com/en/security-advisory/qsa-26-07). Until patching is completed, implement network-level mitigations including restricting direct network access to QVR Pro systems to trusted administrative networks only, deploying a reverse proxy with mandatory authentication and TLS enforcement, and disabling or isolating any critical functions that do not require authentication. Monitor QVR Pro access logs for evidence of exploitation attempts, particularly requests to administrative or configuration endpoints originating from untrusted sources. If immediate patching is not feasible, consider temporarily taking affected QVR Pro instances offline until the update can be applied.

Share

CVE-2026-22898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy