Description
Lack of authentication when using the "snapshot diff" functions in qSnapper before version 1.3.3 allowed a local attacker to see otherwise read protected information.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the use of the 'snapshot diff' functions in qSnapper, which lack proper authentication controls. As a result, a local user can invoke these functions and gain access to information that should be protected. This flaw corresponds to CWE-306, Missing Authentication, and permits data disclosure across the application's protected data stores.

Affected Systems

Affected are installations of presire's qSnapper before the public release of version 1.3.3. Users running any earlier release of the snap creation tool are exposed to the described information leak. The flaw exists in the component that calculates differences between snapshots, and the missing authentication check applies to all local instances of the tool.

Risk and Exploitability

The CVSS score of 6.9 categorizes the vulnerability as a medium severity issue. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, indicating limited publicly available exploit tooling. Nevertheless, because the weakness is exploitable locally, an attacker with user or root privileges on the same host can read sensitive data once the diff functions are called, with no remote attack surface inferred from the description.

Generated by OpenCVE AI on June 22, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade qSnapper to version 1.3.3 or later, which enforces authentication for diff operations.
  • Verify that the updated binary requires appropriate credentials before executing diff features.
  • Limit local account privileges so that only trusted administrators can use qSnapper’s snapshot diff functions.

Generated by OpenCVE AI on June 22, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Presire
Presire qsnapper
Vendors & Products Presire
Presire qsnapper

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Lack of authentication when using the "snapshot diff" functions in qSnapper before version 1.3.3 allowed a local attacker to see otherwise read protected information.
Title Information leak via “diff” methods in qSnapper
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Presire Qsnapper
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-06-22T16:24:23.656Z

Reserved: 2026-04-16T13:37:50.679Z

Link: CVE-2026-41047

cve-icon Vulnrichment

Updated: 2026-06-22T16:24:19.276Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:18Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function