Description
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges.

We have already fixed the vulnerability in the following version:
QuMagie 2.9.1 and later
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE‑2026‑44083 describes an authorization bypass vulnerability in QNAP Systems Inc.’s QuMagie that allows remote attackers to supply a custom key controlled by the user and obtain privileges that they are not permitted to have. The weakness is classified as a user‑controlled key issue (CWE‑639), which enables attackers to gain elevated rights and could lead to a full compromise if administrative privileges are acquired.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s QuMagie installations running versions older than 2.9.1, including QuMagie 2.9.0 and earlier. This inference is based on the vendor’s statement that the issue has been fixed in 2.9.1 and later; the original text did not explicitly list affected versions, so the older‑than‑2.9.1 range is a logical deduction.

Risk and Exploitability

The CVSS score of 8.7 marks this as high severity. An EPSS score is not available, so the probability of exploitation is uncertain; the vendor lists no presence in the CISA KEV catalog. The likely attack vector is remote, presumably through a network‑accessible component of the QuMagie service, as implied by the phrase “remote attackers”. Successful exploitation would grant attackers higher‑level privileges and could enable broader system compromise.

Generated by OpenCVE AI on June 9, 2026 at 08:52 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later

OpenCVE Recommended Actions

  • Upgrade QuMagie to version 2.9.1 or later, which contains the fix for the authorization bypass.
  • Revoke any user‑controlled key settings or disable the feature that allows users to provide custom keys, reducing the attack surface.
  • Re‑configure access control to ensure only authorized accounts retain administrative privileges and monitor logs for any unauthorized privilege escalation attempts.

Generated by OpenCVE AI on June 9, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qumagie
Vendors & Products Qnap Systems
Qnap Systems qumagie

Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later
Title QuMagie
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Qumagie
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-09T13:10:16.398Z

Reserved: 2026-05-05T07:32:16.697Z

Link: CVE-2026-44083

cve-icon Vulnrichment

Updated: 2026-06-09T13:10:11.456Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T08:16:28.940

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-44083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T09:00:08Z

Weaknesses