HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-26236Published Modified CNA qnap

CVE-2026-26236: QuMagie

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
2.9.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A missing authorization vulnerability affects QNAP QuMagie versions before 2.9.0. The flaw is remotely exploitable over the network with no authentication required and no user interaction needed, making it accessible to any attacker who can reach the service. Successful exploitation allows an attacker to read unauthorized data from the application. A patched-image rebuild at version 2.9.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-26236 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle QuMagie. Coverage extends to both registry scans and active CI/CD pipeline checks.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.7 (HIGH), weighted against each customer org's per-environment compliance policy to prioritize alert routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at QuMagie 2.9.0 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the QuMagie service over the network; no local or physical access is assumed.

  • AuthenticationNot required

    No account or credential of any privilege level is needed to trigger the vulnerability.

  • Victim interactionNot required

    The attacker does not need to trick or wait for any user action to exploit this flaw.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, with no race conditions or special environmental configuration required.

Blast Radius

  • An attacker reads data stored in QuMagie that they are not authorized to access, such as photo libraries, albums, or associated metadata belonging to other users.
  • No write or delete capability is granted by this vulnerability; data integrity is not directly affected.
  • Service availability is not impacted; the application continues running while the unauthorized read occurs.

How HarborGuard Handles This

Available on HarborGuard: detection of this missing authorization vulnerability is active for all scanned images containing QuMagie versions prior to 2.9.0. For environments where an affected version is found, a rebuilt image at the fixed version 2.9.0 is made available. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs regression checks, and opens a patch PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy or organizational controls require manual review before patching, the finding is routed to the configured owner inbox with full CVSS context attached.

See how HarborGuard automates this

Fix available

2.9.0
Affected packages
  • QNAP Systems Inc. / QuMagie
    < 2.9.0 (from 2.9.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References