CVE-2026-26236

N/A

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We h...

Affects 0 products across 1 vendor.

CVSS v48.7
EPSS0.3%
Percentile24th
PatchUnknown
CWE Weakness Definitions
CWE-862: Missing Authorization

Software does not check whether an authenticated actor has permission for the requested operation.

◆ SAGE Intelligence — CITED Relevance Research Team

CVE-2026-26236 affects QNAP QuMagie, a photo management application running on QNAP NAS devices, due to a missing authorization vulnerability. Remote attackers can exploit this flaw without proper authentication checks to access sensitive photo data or perform unauthorized actions on the system. In OT environments where QNAP NAS devices are used for storing operational data, historian backups, or configuration files, this vulnerability could expose critical infrastructure data to unauthorized parties.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-26236?
CVE-2026-26236 affects QNAP QuMagie, a photo management application running on QNAP NAS devices, due to a missing authorization vulnerability. Remote attackers can exploit this flaw without proper authentication checks to access sensitive photo data or perform unauthorized actions on the system. In OT environments where QNAP NAS devices are used for storing operational data, historian backups, or configuration files, this vulnerability could expose critical infrastructure data to unauthorized pa
Is CVE-2026-26236 actively exploited?
No confirmed active exploitation of CVE-2026-26236 as of 2026-06-24.
How do I remediate CVE-2026-26236?
Update to QuMagie 2.9.0 or later. QuMagie 2.9.0 resolves a missing authorization vulnerability by implementing proper access control checks on affected endpoints, preventing remote attackers from accessing unauthorized data or performing unauthorized actions within the application. Advisory: https://www.qnap.com/en/security-advisory/qsa-26-26236
What systems are affected by CVE-2026-26236?
CVE-2026-26236 affects: Qnap.
Vulnerability Details
CVE IDCVE-2026-26236
Published2026-06-09
Last Modified2026-06-09
ICS Relevance70%
Weakness (CWE)
Missing Authorization
SourceNVD
Official Description

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Qnap —
Remediation

Fixed Version: QuMagie 2.9.0

QuMagie 2.9.0 resolves a missing authorization vulnerability by implementing proper access control checks on affected endpoints, preventing remote attackers from accessing unauthorized data or performing unauthorized actions within the application.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: June 2026 | Threat Age: 17 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine LOW CONFIDENCE

Deploy a web application firewall (WAF) or inline IDS/IPS at the network perimeter and OT DMZ boundary to detect and block unauthorized HTTP requests targeting QuMagie API paths on QNAP NAS devices. Block all inbound connections to QNAP NAS management ports (8080, 443, 8443) from untrusted networks, and restrict access to known management workstation IPs only.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Qnap
CVE-2017-7876 10.0 This command injection vulnerability in QTS allows attackers to run arbitrary... CVE-2024-32766 10.0 An OS command injection vulnerability has been reported to affect several QNA... CVE-2024-32764 9.9 A missing authentication for critical function vulnerability has been reporte... CVE-2014-6271 9.8 GNU Bash through 4.3 processes trailing strings after function definitions in... CVE-2019-7194 9.8 This external control of file name or path vulnerability allows remote attack...
View all Qnap CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →