How is CVE-2026-10880 exploited?

Network reachability (required): The attacker must reach the QuantaStor SDS Manager login endpoint over the network; no local or physical access is assumed. Authentication (not-required): No credentials of any kind are needed; the injection is triggered at the pre-authentication login endpoint. Victim interaction (not-required): The attacker sends a crafted request directly to the service with no user interaction required. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental setup is required.

What is the impact of CVE-2026-10880?

A successful attacker bypasses authentication and logs in as an administrator without a valid password, gaining full control of the QuantaStor management interface. With administrative access, the attacker can read all stored configuration data, credentials, and storage metadata managed by the SDS instance. The attacker can modify or delete storage volumes, pools, and shares, corrupting or destroying persisted data. The attacker can crash or shut down the QuantaStor management service, taking storage provisioning and management offline.

Back to search

CRITICALCVE-2026-10880Published 2026-06-04Modified 2026-06-04CNA BLSOPS

CVE-2026-10880: Unauthenticated SQL Injection in Osnexus Quantastor

OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 6.6.1
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in OSNexus QuantaStor SDS Manager affecting versions 5.9 through 6.6.0. The flaw is reachable over the network with no credentials required: an attacker sends a crafted username string to the login endpoint, manipulating the underlying SQL query to bypass authentication entirely and gain administrator access. Successful exploitation gives the attacker full administrative control over the storage management interface. A patched-image rebuild at version 6.6.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10880 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle QuantaStor components, across connected registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 (Critical) and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at QuantaStor version 6.6.1 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the QuantaStor SDS Manager login endpoint over the network; no local or physical access is assumed.
AuthenticationNot required
No credentials of any kind are needed; the injection is triggered at the pre-authentication login endpoint.
Victim interactionNot required
The attacker sends a crafted request directly to the service with no user interaction required.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental setup is required.

Blast Radius

A successful attacker bypasses authentication and logs in as an administrator without a valid password, gaining full control of the QuantaStor management interface.
With administrative access, the attacker can read all stored configuration data, credentials, and storage metadata managed by the SDS instance.
The attacker can modify or delete storage volumes, pools, and shares, corrupting or destroying persisted data.
The attacker can crash or shut down the QuantaStor management service, taking storage provisioning and management offline.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10880 is active the moment the advisory is ingested, matching against all images in connected registries and pipelines. Given the Critical severity (CVSS 9.8) and the absence of any authentication barrier, this CVE is prioritized at the highest triage tier. A patched-image rebuild at QuantaStor 6.6.1 is available; for environments with auto-remediation enabled, HarborGuard can rebuild the image, run the regression suite, and open a PR against affected workloads automatically. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is routed to the appropriate team inbox for manual review. As an interim compensating control, customers can apply network policy rules to restrict access to the QuantaStor management port to trusted internal IP ranges only, reducing exposure until the patched image is deployed.

See how HarborGuard automates this

Fix available

6.6.1

Affected packages

Osnexus / QuantaStor
< 6.6.1 (from 5.9)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

blog.blacklanternsecurity.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available