CVE-2026-26237: QuMagie
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 2.9.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A missing authorization vulnerability affects QuMagie, a photo management application by QNAP Systems. The flaw is reachable over the network and requires no authentication, meaning any remote attacker who can reach the service can attempt exploitation. Successful exploitation gives an attacker read access to data they are not authorized to view. A patched-image rebuild at version 2.9.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-26237 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, covering both vendor-supplied and custom-built images that include QuMagie versions below 2.9.0. Any image in a connected registry or CI pipeline is eligible for scanning without additional configuration.
AvailableHarborGuard scores this CVE at 8.7 (HIGH) using the CVSS v4.0 vector and is capable of weighting that score against each environment's compliance policy to adjust priority. Findings can be routed automatically to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild at QuMagie 2.9.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the QuMagie service over the network; no local or physical access is needed.
- AuthenticationNot required
No account or session credential is needed; the vulnerability is exploitable by any unauthenticated remote party.
- Victim interactionNot required
No user action is required; the attacker can trigger the vulnerability directly without involving a logged-in user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other unpredictable environmental factors.
Blast Radius
- An attacker reads data stored in QuMagie that they have no authorization to access, such as private photo libraries or associated metadata.
- Confidentiality of all user content within the affected QuMagie instance is compromised; integrity and availability of data are not affected based on the CVSS impact tokens.
- On a multi-user NAS deployment, unauthorized data access extends across all user accounts whose content is managed by the vulnerable QuMagie version.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is matched against images in connected registries and pipelines within minutes of publication, including custom images built on QNAP base layers that bundle QuMagie. The vulnerability is scored at 8.7 (HIGH), and per-environment compliance policy weighting is available to adjust routing priority. Where compliance policy permits, HarborGuard can rebuild affected images at QuMagie 2.9.0, run a regression suite, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who have not yet enabled auto-remediation can review the finding in the HarborGuard dashboard and trigger a manual rebuild targeting the 2.9.0 fix version.
Fix available
- QNAP Systems Inc. / QuMagie< 2.9.0 (from 2.9.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N