CVE-2026-26237
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We h...
Affects 0 products across 1 vendor.
Software does not check whether an authenticated actor has permission for the requested operation.
CVE-2026-26237 affects QNAP QuMagie, a photo management application running on QNAP NAS devices, due to a missing authorization vulnerability that allows remote attackers to access unauthorized data or perform unauthorized actions without proper privilege checks. An unauthenticated or low-privileged remote attacker can exploit this to exfiltrate sensitive media data or manipulate application functions, potentially compromising QNAP NAS systems used in OT environments for historian backups, surveillance footage storage, or engineering documentation. While QuMagie is not a native ICS component, QNAP NAS appliances are commonly deployed in industrial networks for data archival, and exploitation could provide attackers a pivot point deeper into OT/IT boundary systems.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2026-26237?
Is CVE-2026-26237 actively exploited?
How do I remediate CVE-2026-26237?
What systems are affected by CVE-2026-26237?
| CVE ID | CVE-2026-26237 |
|---|---|
| Published | 2026-06-10 |
| Last Modified | 2026-06-10 |
| ICS Relevance | 70% |
| Weakness (CWE) | |
| Source | NVD |
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Qnap | — | — |
Fixed Version: QuMagie 2.9.0
QuMagie 2.9.0 resolves the missing authorization vulnerability by implementing proper access control enforcement on application endpoints, preventing remote attackers from accessing data or performing actions without appropriate authorization credentials and permissions.
View Vendor Advisory →| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy WAF or reverse proxy rules in front of QNAP NAS web interfaces to block unauthenticated requests to QuMagie API endpoints (URI paths matching /qumagie/api/*). Enforce IP allowlisting so only trusted internal subnets can reach QNAP HTTP/HTTPS ports. Block all direct internet access to QNAP management interfaces at the perimeter firewall. Deploy at network perimeter firewall, internal network DMZ boundary, and any NGFW or IDS/IPS inline between OT/IT network zones.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →