Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
AnalysisAI
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks and interact with resources they should not be permitted to reach. The flaw is classified as a missing authorization issue (CWE-862) and carries a CVSS 4.0 score of 8.7 due to its network-reachable, low-complexity nature with no privileges or user interaction required. No public exploit identified at time of analysis, but QNAP NAS appliances are historically high-value targets for opportunistic attackers.
Technical ContextAI
QuMagie is QNAP's AI-assisted photo management application that runs on QTS/QuTS hero NAS appliances, providing web-based browsing, tagging, and sharing of image libraries. CWE-862 (Missing Authorization) indicates that one or more application endpoints fail to verify whether the requesting principal is permitted to perform the requested action on the targeted resource - the code likely checks authentication state but omits the access-control decision for specific operations or data objects. The affected CPE is cpe:2.3:a:qnap_systems_inc.:qumagie:*:*:*:*:*:*:*:* covering all QuMagie builds before 2.9.0, and the vendor classifies this under the Authentication Bypass tag because the missing check effectively lets requests reach functionality intended for higher-privilege users.
RemediationAI
Apply the vendor-released patch by upgrading QuMagie to version 2.9.0 or later through the QNAP App Center as directed in advisory QSA-26-10 (https://www.qnap.com/en/security-advisory/qsa-26-10); QNAP confirms the fix is shipped in 2.9.0. Until the upgrade is completed, restrict exposure by removing QuMagie from internet-reachable interfaces - disable myQNAPcloud remote access for the photo service, close any port-forwarding rules that publish the QuMagie web UI, and require VPN access for remote users, accepting that this breaks remote photo browsing for legitimate users. Additionally, review access logs on the NAS for unusual requests to QuMagie endpoints, since the confidentiality-only impact means any prior compromise would manifest as data exfiltration rather than configuration changes.
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass
Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v
A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is
An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi
A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner
An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35978
GHSA-j3pp-x9pg-8vx4