What is the CVSS score of CVE-2026-32911?

CVE-2026-32911 has a CVSS 3.1 base score of 6.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L.

Which versions of Synology are affected by CVE-2026-32911?

CVE-2026-32911 presents moderate security risk, a incorrect authorization vulnerability rated CVSS 6.4. Attackers could gain access beyond their authorized level.. A patch is available.

Synology CVE-2026-32911

EUVD-2026-14595 MEDIUM

Incorrect Authorization (CWE-863)

2026-03-23 VulnCheck

GHSA-gpwv-vx7w-xqm4

Authentication Bypass Synology

6.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 22:00 euvd

EUVD-2026-14595

Analysis Generated

Mar 23, 2026 - 22:00 vuln.today

Patch released

Mar 23, 2026 - 22:00 nvd

Patch available

CVE Published

Mar 23, 2026 - 21:36 nvd

MEDIUM 6.4

DescriptionNVD

OpenClaw versions 2026.2.22 prior to 2026.2.24 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks to dispatch unauthorized messages to downstream agents and tools.

AnalysisAI

Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-12686 CRITICAL Act Now

9.8 May 27

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the

CVE-2025-13392 HIGH This Week

8.1 May 27

Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know

CVE-2025-14713 HIGH This Week

7.5 May 27

Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticate

CVE-2026-2237 MEDIUM This Month

6.2 May 27

Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query stri

CVE-2025-13593 MEDIUM This Month

6.1 May 27

Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local u

CVE-2026-32911 vulnerability details – vuln.today

Back