How is CVE-2026-24724 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker exploits this remotely without requiring local or physical access to the host. Authentication (required): A valid user account is needed to exploit this vulnerability, though any low-privilege account is sufficient, not admin credentials. Victim interaction (not-required): No action from another user or victim is needed; the attacker operates entirely on their own once authenticated. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions, specific memory layouts, or environmental dependencies required to trigger the authorization bypass.

What is the impact of CVE-2026-24724?

An attacker reads files and directories beyond the scope their account is authorized to access, including files belonging to other users. An attacker writes to or modifies files and directories they should not have permission to change, enabling data tampering or planting of malicious content. Confidentiality and integrity of stored data are both compromised, but the service itself remains available as there is no denial-of-service impact indicated by the CVSS scoring. The impact is confined to the File Station 5 component; no cross-system or downstream service compromise is indicated by the CVSS vector.

Back to search

HIGHCVE-2026-24724Published 2026-06-10Modified 2026-06-10CNA qnap

CVE-2026-24724: File Station 5

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 5.5.6.5243
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect authorization vulnerability affects QNAP File Station 5, reachable over the network by any authenticated user with a low-privilege account. The flaw allows an attacker who holds a valid user account to bypass access restrictions that are supposed to limit what files or directories they can reach, exposing file contents and allowing unauthorized writes. A patched-image rebuild at version 5.5.6.5243 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-24724 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication against both registry-hosted and pipeline-built images, including custom images derived from QNAP File Station 5 base layers. Coverage applies to any image in the affected version range from 5.5.0 up to but not including 5.5.6.5243.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.6 HIGH (CVSS v4.0) and weighting that score against each environment's compliance policy to prioritize routing. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at File Station 5 version 5.5.6.5243 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, running a regression test suite against the new image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker exploits this remotely without requiring local or physical access to the host.
AuthenticationRequired
A valid user account is needed to exploit this vulnerability, though any low-privilege account is sufficient, not admin credentials.
Victim interactionNot required
No action from another user or victim is needed; the attacker operates entirely on their own once authenticated.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions, specific memory layouts, or environmental dependencies required to trigger the authorization bypass.

Blast Radius

An attacker reads files and directories beyond the scope their account is authorized to access, including files belonging to other users.
An attacker writes to or modifies files and directories they should not have permission to change, enabling data tampering or planting of malicious content.
Confidentiality and integrity of stored data are both compromised, but the service itself remains available as there is no denial-of-service impact indicated by the CVSS scoring.
The impact is confined to the File Station 5 component; no cross-system or downstream service compromise is indicated by the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-24724 fires against any image in the File Station 5 5.5.0 to pre-5.5.6.5243 range within minutes of the image being scanned or the CVE being ingested from upstream feeds. A patched rebuild at 5.5.6.5243 is available for environments running an affected version. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image at the patched version, run a regression test run against it, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding will surface in the HarborGuard dashboard with severity 8.6 HIGH, allowing teams to prioritize manual remediation against the published fix version.

See how HarborGuard automates this

Fix available

5.5.6.5243

Affected packages

QNAP Systems Inc. / File Station 5
< 5.5.6.5243 (from 5.5.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

qnap.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available