Description
A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.
Published: 2026-05-27
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Synology Storage Manager package that occurs when the application performs GET requests containing sensitive query strings related to volume encryption. The flaw allows local attackers to retrieve confidential information that should be protected by encryption. This weakness is classified as CWE‑598, indicating that sensitive data is exposed during a request that should not carry such data. The primary impact is information disclosure, which could enable an attacker to obtain encryption keys, configuration details, or other privileged data from the local host.

Affected Systems

The affected product is Synology Storage Manager, specifically versions prior to 1.0.1‑1100. Versions 1.0.1‑1100 and later contain the fix that removes the exposure of sensitive query parameters during GET requests.

Risk and Exploitability

The CVSS score of 6.2 reflects moderate severity and the absence of an EPSS score suggests limited or uncertain exploitation likelihood at present, though the local nature of the attack vector allows an attacker who can execute code or interact with the system to exploit the flaw. The vulnerability is not listed in CISA’s KEV catalog, indicating that there is no known widespread exploitation. Nevertheless, the potential to expose sensitive encryption-related data warrants timely remediation. The risk is heightened if the system allows local users or services with elevated privileges to access the affected endpoints.

Generated by OpenCVE AI on May 27, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Synology Storage Manager to version 1.0.1‑1100 or later, which corrects the GET request handling for volume encryption.
  • Restrict local system users to the minimum privileges required for their roles to limit the scope of potential exploitation.
  • Implement network segmentation or firewall rules to prevent unauthorized local access to the Storage Manager’s encryption endpoints.

Generated by OpenCVE AI on May 27, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via GET Requests with Sensitive Query Strings in Synology Storage Manager

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.
Weaknesses CWE-598
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T12:12:26.271Z

Reserved: 2026-02-09T06:21:48.344Z

Link: CVE-2026-2237

cve-icon Vulnrichment

Updated: 2026-05-27T12:12:16.995Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T09:16:27.877

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-2237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses