CVE-2026-44083: QuMagie
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 2.9.1
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authorization bypass through user-controlled key vulnerability affects QNAP QuMagie versions before 2.9.1. The flaw is reachable over the network and requires no authentication, allowing a remote attacker to manipulate a key the application trusts in order to gain unintended privileges. Successful exploitation gives the attacker read access to confidential data stored within the application. A patched-image rebuild at QuMagie 2.9.1 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-44083 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package QuMagie. Any image running a QuMagie version below 2.9.1 is flagged automatically.
AvailableHarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and applies each customer organization's compliance policy weighting to prioritize the finding appropriately. Triage routing is available to direct the alert to the team or inbox configured for the affected workload within each customer environment.
AvailableA patched-image rebuild at QuMagie 2.9.1 becomes available through HarborGuard the moment the fix version is resolvable in the upstream package feed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the QuMagie service over the network; no local or physical access is needed.
- AuthenticationNot required
No account or session credentials are needed; the attacker can send unauthenticated requests to the vulnerable endpoint.
- Victim interactionNot required
The attacker does not need any user on the target system to click a link, open a file, or take any other action.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or other environmental factors need to be aligned.
Blast Radius
- The attacker reads confidential data stored inside QuMagie, such as photo libraries, album metadata, and any associated user records visible to the bypassed authorization context.
- Data integrity is not affected; the attacker cannot modify or delete stored content through this vulnerability alone.
- Service availability is not affected; the QuMagie instance continues running normally during and after exploitation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-44083 is active for all scanned images carrying a QuMagie version below 2.9.1, with findings surfaced within minutes of the CVE entering upstream feeds. A rebuilt image at QuMagie 2.9.1 is available for affected environments. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run regression tests, and open a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured owner inbox with the CVSS score, vector breakdown, and fix version attached for rapid review.
Fix available
- QNAP Systems Inc. / QuMagie< 2.9.1 (from 2.9.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N