Skip to main content

QNAP QuMagie CVE-2026-44083

| EUVDEUVD-2026-35354 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-09 qnap GHSA-9q66-9qq3-h395
8.7
CVSS 4.0 · Vendor: qnap
Share

Severity by source

Vendor (qnap) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap) · only source for this CVE.

CVSS VectorVendor: qnap

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 10:05 vuln.today
Patch available
Jun 09, 2026 - 09:01 EUVD
CVSS changed
Jun 09, 2026 - 08:22 NVD
8.7 (HIGH)
CVE Published
Jun 09, 2026 - 06:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.

We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later

AnalysisAI

Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-controlled keys (IDOR-class flaw) and gain unintended privileges on the photo management application. The QNAP-issued advisory QSA-26-35 confirms the issue and ships a fix in 2.9.1; no public exploit identified at time of analysis, and the flaw is not currently listed in CISA KEV.

Technical ContextAI

QuMagie is QNAP's AI-powered photo management application that runs on QTS/QuTS hero NAS appliances, typically exposed via the NAS web interface and accessible over the LAN or, when port-forwarded, the internet. The underlying weakness is CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference (IDOR): the application accepts an identifier (such as an album, photo, user, or share ID) supplied by the client and uses it to look up or act upon a resource without verifying that the requesting principal is authorized for that specific object. The single CPE entry (cpe:2.3:a:qnap_systems_inc.:qumagie:*) and the EUVD range 'QuMagie 2.9.0 <2.9.1' indicate the vulnerable code path is confined to the QuMagie application layer rather than the underlying QTS firmware.

RemediationAI

Vendor-released patch: QuMagie 2.9.1 - upgrade via the QNAP App Center (Log in to QTS/QuTS hero → App Center → search for QuMagie → click Update) as documented in QSA-26-35 (https://www.qnap.com/en/security-advisory/qsa-26-35). Until the upgrade is applied, the most effective compensating control is to remove the NAS web interface from the public internet by disabling UPnP/port forwarding for the QuMagie/QTS ports (typically 8080/443) and restricting access to a VPN or trusted source IPs, accepting the trade-off that remote photo access for legitimate users will break until they connect through the VPN. As a tighter interim measure, temporarily stop or uninstall the QuMagie app from the App Center, which fully removes the attack surface at the cost of disabling photo browsing for all users until the patch is installed.

CVE-2023-41285 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-41284 HIGH
8.8 Nov 10

A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-39295 HIGH
8.8 Nov 10

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab

CVE-2026-26237 HIGH
8.7 Jun 10

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass

CVE-2026-26236 HIGH
8.7 Jun 09

Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass

CVE-2023-47560 HIGH
7.4 Jan 05

An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab

CVE-2025-62857 MEDIUM
6.1 Jan 02

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th

CVE-2023-47559 MEDIUM
5.5 Jan 05

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v

CVE-2023-47219 LOW
3.5 Jan 05

A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is

CVE-2024-38642 LOW
1.0 Sep 06

An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi

CVE-2025-58464 HIGH
7.8 Nov 07

A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner

CVE-2025-52425 CRITICAL
9.5 Nov 07

An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili

Share

CVE-2026-44083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy