Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
AnalysisAI
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks over the network without authentication. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no privileges required, though no public exploit identified at time of analysis and KEV listing is absent.
Technical ContextAI
QuMagie is QNAP's AI-powered photo management application that runs on QTS/QuTS hero NAS devices, providing facial recognition, object detection, and media organization features typically exposed over HTTP/HTTPS via the QNAP web interface. The root cause is CWE-862 (Missing Authorization), meaning the application performs sensitive operations without verifying whether the requesting principal is permitted to perform them - this is distinct from missing authentication, since the access control check itself is absent or incomplete on specific endpoints. The CPE string cpe:2.3:a:qnap_systems_inc.:qumagie:*:*:*:*:*:*:*:* confirms all versions of the QuMagie application are in scope prior to the fix.
RemediationAI
Upgrade QuMagie to the vendor-released patch version 2.9.0 or later via the QNAP App Center on the affected NAS, following guidance in the QNAP advisory QSA-26-36 at https://www.qnap.com/en/security-advisory/qsa-26-36. If immediate patching is not feasible, restrict network exposure of the QuMagie web interface by placing the NAS behind a VPN or firewall ACL that limits access to trusted management IPs only - note this breaks any external/mobile photo browsing workflows users may rely on. Additionally consider disabling the QuMagie application from the App Center as a temporary hard mitigation, which fully removes the attack surface but also disables all photo management features for end users until the upgrade is applied.
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
A SQL injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerability is
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 8.8), this vulnerab
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass
Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-
An OS command injection vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.4), this vulnerab
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit th
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. Rated medium severity (CVSS 5.5), this v
A SQL injection vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 3.5), this vulnerability is
An improper certificate validation vulnerability has been reported to affect QuMagie. Rated low severity (CVSS 1.0), thi
A relative path traversal vulnerability has been reported to affect QuMagie. Rated high severity (CVSS 7.8), this vulner
An SQL injection vulnerability has been reported to affect QuMagie. Rated critical severity (CVSS 9.5), this vulnerabili
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35347
GHSA-xxxj-w44j-q5cf