Description
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.

We have already fixed the vulnerability in the following version:
QuMagie 2.9.0 and later
Published: 2026-06-10
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in QNAP’s QuMagie software allows an attacker who can reach the application from a network to retrieve or manipulate data and settings that should be protected, potentially exposing sensitive files and configuration information. The weakness corresponds to missing authorization controls and a possible leakage of authentication credentials, based on the referenced CWEs.

Affected Systems

QNAP Systems Inc. QuMagie versions prior to 2.9.0 are affected. The issue was fixed in QuMagie 2.9.0 and later releases.

Risk and Exploitability

The vulnerability is scored at 6.6 on the CVSS scale, indicating medium severity. The EPSS score indicates a very low exploitation probability, below 1%, and the absence of a KEV listing does not diminish the risk to users that access QuMagie over a network. Adversaries most likely need remote network access to the QuMagie service; the flaw allows exploitation without further privileges, leading to unauthorized data recovery or modification.

Generated by OpenCVE AI on June 17, 2026 at 18:38 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

OpenCVE Recommended Actions

  • Upgrade QuMagie to version 2.9.0 or later to obtain the vendor-provided fix.
  • Restrict network access to the QuMagie service using firewall or segmentation while the upgrade is pending.
  • Continuously monitor QuMagie logs for suspicious activity and block offending IP addresses as a temporary defensive measure.

Generated by OpenCVE AI on June 17, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qumagie
CPEs cpe:2.3:a:qnap:qumagie:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qumagie
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qumagie
Vendors & Products Qnap Systems
Qnap Systems qumagie

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
Title QuMagie
Weaknesses CWE-359
CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Qumagie
Qnap Systems Qumagie
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-17T01:54:01.266Z

Reserved: 2026-02-12T02:21:35.482Z

Link: CVE-2026-26237

cve-icon Vulnrichment

Updated: 2026-06-10T15:26:03.010Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T04:17:19.067

Modified: 2026-06-12T19:53:02.280

Link: CVE-2026-26237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization