Description
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
Published: 2026-05-27
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the AddOns functionality of Synology Surveillance Station. Remote authenticated users who possess administrator privileges can obtain sensitive information through unspecified vectors. This flaw prevents proper privilege checks, potentially exposing confidential data, and is categorized as CWE-862.

Affected Systems

Synology Surveillance Station is affected. Users running any version prior to 9.2.2-11575 or 9.2.2-9575 are at risk. The issue arises in the AddOns section of the application, which is part of the surveillance firmware package.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be a remote authenticated administrator; the likely attack vector is via the web interface or API where AddOns are managed, inferred from the description that attackers can obtain sensitive information through unspecified vectors. An attacker with these credentials can extract sensitive configuration or other data before the patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 10:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Surveillance Station to version 9.2.2-11575 or later, or apply the latest available firmware update as recommended by Synology
  • Limit remote administrative access by configuring the device firewall or VPN to allow only trusted IP ranges
  • Remove or downgrade users that have administrator privileges if they are not required, following the principle of least privilege

Generated by OpenCVE AI on May 27, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Missing Authorization Allows Sensitive Information Disclosure via AddOns in Synology Surveillance Station

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Synology
Synology surveillance Station
Vendors & Products Synology
Synology surveillance Station

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Synology Surveillance Station
cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T08:29:31.386Z

Reserved: 2024-09-24T03:58:57.133Z

Link: CVE-2024-47268

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:25.620

Modified: 2026-05-27T09:16:25.620

Link: CVE-2024-47268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:00:13Z

Weaknesses