CVE-2026-2237 - Vulnerability Details

Description

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information.

Published: 2026-05-27

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug occurs when Synology Storage Manager processes GET requests that include sensitive query strings related to volume encryption. Local users on Windows who can interact with the application are able to read data that should be concealed. This results in an information disclosure. The weakness is categorized as CWE‑598, meaning sensitive data is exposed when it should not be included in a request.

Affected Systems

The affected product is Synology Storage Manager, versions earlier than 1.0.1‑1100. Later releases contain the fix.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate severity. With an EPSS below 1 % and not being listed in CISA’s KEV catalog, the likelihood of exploitation is low. The flaw requires local access, so it can be exploited by an attacker who can run code or otherwise interact with the system but does not require remote attack capabilities.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Synology

Storage Manager

affected

Version	Status	Constraints
`*`	affected	< 1.0.1-1100

Configuration 1 [-]

AND

cpe:2.3:a:synology:storage_manager:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:synology:diskstation_manager:7.2.1:::::::*
	cpe:2.3:o:synology:diskstation_manager:7.2.2:::::::*
	cpe:2.3:o:synology:diskstation_manager:7.3:::::::*

No data.

Vendor Product Confidence Versions

Synology

Storage Manager

100%

Version	Status	Scheme	Platform
`[0,1.0.1-1100)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Synology update that releases Storage Manager version 1.0.1‑1100 or later, which removes the use of sensitive query strings in GET requests.
Limit local account permissions so that only trusted users can access Storage Manager features.
Monitor for any abnormal activity around Storage Manager endpoints to detect potential exploitation.

Generated by OpenCVE AI on June 2, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00092.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_26_01

History

Tue, 02 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Title	Local Information Disclosure via GET Requests with Sensitive Query Strings in Synology Storage Manager

Tue, 02 Jun 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description	A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.	A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information.

Mon, 01 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synology diskstation Manager
CPEs		cpe:2.3:a:synology:storage_manager:::::::: cpe:2.3:o:synology:diskstation_manager:7.2.1:::::::* cpe:2.3:o:synology:diskstation_manager:7.2.2:::::::* cpe:2.3:o:synology:diskstation_manager:7.3:::::::*
Vendors & Products		Synology diskstation Manager

Sat, 30 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synology Synology storage Manager
Vendors & Products		Synology Synology storage Manager

Wed, 27 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
Title		Local Information Disclosure via GET Requests with Sensitive Query Strings in Synology Storage Manager

Wed, 27 May 2026 09:00:00 +0000

Type	Values Removed	Values Added
Description		A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.
Weaknesses		CWE-598
References		https://www.synology.com/en-global/security/advisory/Synology_SA_26_01
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Synology Diskstation Manager Storage Manager

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2026-05-27T08:44:29.472Z

Updated: 2026-06-02T08:28:36.196Z

Reserved: 2026-02-09T06:21:48.344Z

Link: CVE-2026-2237

Vulnrichment

Updated: 2026-05-27T12:12:16.995Z

NVD

Status : Modified

Published: 2026-05-27T09:16:27.877

Modified: 2026-06-02T10:16:20.640

Link: CVE-2026-2237

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses

CWE-598
Use of HTTP Request With Sensitive Query String

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object