Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.
We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later
AnalysisAI
Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-controlled keys (IDOR-class flaw) and gain unintended privileges on the photo management application. The QNAP-issued advisory QSA-26-35 confirms the issue and ships a fix in 2.9.1; no public exploit identified at time of analysis, and the flaw is not currently listed in CISA KEV.
Technical ContextAI
QuMagie is QNAP's AI-powered photo management application that runs on QTS/QuTS hero NAS appliances, typically exposed via the NAS web interface and accessible over the LAN or, when port-forwarded, the internet. The underlying weakness is CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as Insecure Direct Object Reference (IDOR): the application accepts an identifier (such as an album, photo, user, or share ID) supplied by the client and uses it to look up or act upon a resource without verifying that the requesting principal is authorized for that specific object. The single CPE entry (cpe:2.3:a:qnap_systems_inc.:qumagie:*) and the EUVD range 'QuMagie 2.9.0 <2.9.1' indicate the vulnerable code path is confined to the QuMagie application layer rather than the underlying QTS firmware.
RemediationAI
Vendor-released patch: QuMagie 2.9.1 - upgrade via the QNAP App Center (Log in to QTS/QuTS hero → App Center → search for QuMagie → click Update) as documented in QSA-26-35 (https://www.qnap.com/en/security-advisory/qsa-26-35). Until the upgrade is applied, the most effective compensating control is to remove the NAS web interface from the public internet by disabling UPnP/port forwarding for the QuMagie/QTS ports (typically 8080/443) and restricting access to a VPN or trusted source IPs, accepting the trade-off that remote photo access for legitimate users will break until they connect through the VPN. As a tighter interim measure, temporarily stop or uninstall the QuMagie app from the App Center, which fully removes the attack surface at the cost of disabling photo browsing for all users until the patch is installed.
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v
A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is
An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi
A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner
An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35354
GHSA-9q66-9qq3-h395