Skip to main content

QuMagie CVE-2026-26236

| EUVDEUVD-2026-35347 HIGH
Missing Authorization (CWE-862)
2026-06-09 qnap GHSA-xxxj-w44j-q5cf
8.7
CVSS 4.0 · Vendor: qnap
Share

Severity by source

Vendor (qnap) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap) · only source for this CVE.

CVSS VectorVendor: qnap

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:28 vuln.today
CVSS changed
Jun 09, 2026 - 05:22 NVD
8.7 (HIGH)

DescriptionCVE.org

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.

We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

AnalysisAI

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks over the network without authentication. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no privileges required, though no public exploit identified at time of analysis and KEV listing is absent.

Technical ContextAI

QuMagie is QNAP's AI-powered photo management application that runs on QTS/QuTS hero NAS devices, providing facial recognition, object detection, and media organization features typically exposed over HTTP/HTTPS via the QNAP web interface. The root cause is CWE-862 (Missing Authorization), meaning the application performs sensitive operations without verifying whether the requesting principal is permitted to perform them - this is distinct from missing authentication, since the access control check itself is absent or incomplete on specific endpoints. The CPE string cpe:2.3:a:qnap_systems_inc.:qumagie:*:*:*:*:*:*:*:* confirms all versions of the QuMagie application are in scope prior to the fix.

RemediationAI

Upgrade QuMagie to the vendor-released patch version 2.9.0 or later via the QNAP App Center on the affected NAS, following guidance in the QNAP advisory QSA-26-36 at https://www.qnap.com/en/security-advisory/qsa-26-36. If immediate patching is not feasible, restrict network exposure of the QuMagie web interface by placing the NAS behind a VPN or firewall ACL that limits access to trusted management IPs only - note this breaks any external/mobile photo browsing workflows users may rely on. Additionally consider disabling the QuMagie application from the App Center as a temporary hard mitigation, which fully removes the attack surface but also disables all photo management features for end users until the upgrade is applied.

CVE-2023-41285 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-41284 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-39295 HIGH
8.8 Nov 10

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab

CVE-2026-26237 HIGH
8.7 Jun 10

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass

CVE-2026-44083 HIGH
8.7 Jun 09

Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-

CVE-2023-47560 HIGH
7.4 Jan 05

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab

CVE-2025-62857 MEDIUM
6.1 Jan 02

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th

CVE-2023-47559 MEDIUM
5.5 Jan 05

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v

CVE-2023-47219 LOW
3.5 Jan 05

A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is

CVE-2024-38642 LOW
1.0 Sep 06

An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi

CVE-2025-58464 HIGH
7.8 Nov 07

A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner

CVE-2025-52425 CRITICAL
9.5 Nov 07

An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili

Share

CVE-2026-26236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy