CVE-2026-24724 - Vulnerability Details

Description

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions.

We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5243 and later

Published: 2026-06-10

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an incorrect authorization flaw that enables an attacker who has first obtained a legitimate user account to access data and features beyond the intended permissions. This mis‑implemented access control is classified as CWE-863 and can lead to unauthorized disclosure and manipulation of protected information.

Affected Systems

The affected vendor is QNAP Systems Inc. The product is File Station 5. Versions prior to 5.5.6.5243 are vulnerable. The advisory also references File Station 6, but the documented fix applies to the File Station 5 line.

Risk and Exploitability

The CVSS score of 6.2 indicates medium severity. The exploit requires an active user account, so an attacker must first compromise or guess legitimate credentials. Once authenticated, the attacker can bypass authorization controls. The EPSS score of < 1% indicates a very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the medium CVSS combined with the fact that the flaw impacts a popular NAS platform should cause organizations to treat it with priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QNAP Systems Inc.

File Station 5

unaffected

Version	Status	Constraints
`5.5.0`	affected	< 5.5.6.5243

Configuration 1 [-]

cpe:2.3:a:qnap:file_station:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Qnap Systems

File Station 5

95%

Version	Status	Scheme	Platform
`[5.5.0,5.5.6.5243)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

OpenCVE Recommended Actions

Upgrade File Station 5 to version 5.5.6.5243 or later
Enforce strong password policies and enable account lockout to reduce the chance that a user account can be compromised
Monitor system logs for signs of unauthorized file access or anomalous user activity

Generated by OpenCVE AI on June 17, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00259.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-26-10
https://www.qnap.com/en/security-advisory/qsa-26-29

History

Wed, 17 Jun 2026 05:15:00 +0000

Type	Values Removed	Values Added
References		https://www.qnap.com/en/security-advisory/qsa-26-10
Metrics	cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}`

Fri, 12 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qnap Qnap file Station
CPEs		cpe:2.3:a:qnap:file_station::::::::
Vendors & Products		Qnap Qnap file Station
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Wed, 10 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 06:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qnap Systems Qnap Systems file Station 5
Vendors & Products		Qnap Systems Qnap Systems file Station 5

Wed, 10 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later
Title		File Station 5
Weaknesses		CWE-863
References		https://www.qnap.com/en/security-advisory/qsa-26-29
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Qnap File Station

Qnap Systems File Station 5

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2026-06-10T03:15:27.445Z

Updated: 2026-06-17T01:47:50.685Z

Reserved: 2026-01-26T06:41:35.898Z

Link: CVE-2026-24724

Vulnrichment

Updated: 2026-06-10T15:09:31.546Z

NVD

Status : Analyzed

Published: 2026-06-10T04:17:17.253

Modified: 2026-06-12T13:47:31.767

Link: CVE-2026-24724

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T20:45:03Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object