Skip to main content

QNAP QuMagie CVE-2026-26237

| EUVDEUVD-2026-35978 HIGH
Missing Authorization (CWE-862)
2026-06-10 qnap GHSA-j3pp-x9pg-8vx4
8.7
CVSS 4.0 · Vendor: qnap
Share

Severity by source

Vendor (qnap) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap) · only source for this CVE.

CVSS VectorVendor: qnap

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 06:20 vuln.today
Patch available
Jun 10, 2026 - 05:01 EUVD
CVSS changed
Jun 10, 2026 - 04:22 NVD
8.7 (HIGH)
CVE Published
Jun 10, 2026 - 03:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.

We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

AnalysisAI

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks and interact with resources they should not be permitted to reach. The flaw is classified as a missing authorization issue (CWE-862) and carries a CVSS 4.0 score of 8.7 due to its network-reachable, low-complexity nature with no privileges or user interaction required. No public exploit identified at time of analysis, but QNAP NAS appliances are historically high-value targets for opportunistic attackers.

Technical ContextAI

QuMagie is QNAP's AI-assisted photo management application that runs on QTS/QuTS hero NAS appliances, providing web-based browsing, tagging, and sharing of image libraries. CWE-862 (Missing Authorization) indicates that one or more application endpoints fail to verify whether the requesting principal is permitted to perform the requested action on the targeted resource - the code likely checks authentication state but omits the access-control decision for specific operations or data objects. The affected CPE is cpe:2.3:a:qnap_systems_inc.:qumagie:*:*:*:*:*:*:*:* covering all QuMagie builds before 2.9.0, and the vendor classifies this under the Authentication Bypass tag because the missing check effectively lets requests reach functionality intended for higher-privilege users.

RemediationAI

Apply the vendor-released patch by upgrading QuMagie to version 2.9.0 or later through the QNAP App Center as directed in advisory QSA-26-10 (https://www.qnap.com/en/security-advisory/qsa-26-10); QNAP confirms the fix is shipped in 2.9.0. Until the upgrade is completed, restrict exposure by removing QuMagie from internet-reachable interfaces - disable myQNAPcloud remote access for the photo service, close any port-forwarding rules that publish the QuMagie web UI, and require VPN access for remote users, accepting that this breaks remote photo browsing for legitimate users. Additionally, review access logs on the NAS for unusual requests to QuMagie endpoints, since the confidentiality-only impact means any prior compromise would manifest as data exfiltration rather than configuration changes.

CVE-2023-41285 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-41284 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-39295 HIGH
8.8 Nov 10

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab

CVE-2026-26236 HIGH
8.7 Jun 09

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass

CVE-2026-44083 HIGH
8.7 Jun 09

Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-

CVE-2023-47560 HIGH
7.4 Jan 05

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab

CVE-2025-62857 MEDIUM
6.1 Jan 02

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th

CVE-2023-47559 MEDIUM
5.5 Jan 05

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v

CVE-2023-47219 LOW
3.5 Jan 05

A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is

CVE-2024-38642 LOW
1.0 Sep 06

An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi

CVE-2025-58464 HIGH
7.8 Nov 07

A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner

CVE-2025-52425 CRITICAL
9.5 Nov 07

An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili

Share

CVE-2026-26237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy