Threat Advisory

Multiple QNAP QuMagie Vulnerabilities Allow Unauthenticated Access

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in QNAP’s QuMagie photo‑management application and the associated License Center component for QNAP NAS devices. Affected versions include QuMagie 2.8.2, 2.9.0 and earlier releases, as well as License Center 1.8.56. The flaws primarily enable information disclosure, allowing unauthenticated attackers to retrieve private photos, AI‑generated face‑recognition thumbnails, and entire album archives, while a separate path‑traversal issue permits an authenticated admin to read files outside the intended directory. Exposure of personal media can lead to extortion, doxxing, identity theft, and damage to brand reputation, representing a serious business risk for any organization that stores sensitive visual data on QNAP devices.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in QNAP’s QuMagie photo‑management application and the associated License Center component for QNAP NAS devices. Affected versions include QuMagie 2.8.2, 2.9.0 and earlier releases, as well as License Center 1.8.56. The flaws primarily enable information disclosure, allowing unauthenticated attackers to retrieve private photos, AI‑generated face‑recognition thumbnails, and entire album archives, while a separate path‑traversal issue permits an authenticated admin to read files outside the intended directory. Exposure of personal media can lead to extortion, doxxing, identity theft, and damage to brand reputation, representing a serious business risk for any organization that stores sensitive visual data on QNAP devices.[emaillocker id="1283"]

  • CVE-2026-26236 – An unauthenticated attacker can directly request endpoints to download stored media files from QuMagie, requiring no credentials or prior interaction.
  • CVE-2026-26237 – This flaw reveals face‑recognition thumbnails and folder cover images without authentication, allowing remote actors to harvest visual identifiers of individuals.
  • CVE-2026-44083 – Pre‑authentication access enables retrieval of full album archives, giving attackers bulk exposure of private photo collections.
  • CVE-2025-62851 – A path‑traversal vulnerability in License Center permits an authenticated administrator to read arbitrary files outside the application directory, potentially exposing configuration or credential data.

Collectively these vulnerabilities pose an urgent risk of data leakage that could be leveraged for extortion or reputation damage. If exploited, organizations may face legal liability, loss of customer trust, and operational disruption due to the compromise of sensitive visual assets. Immediate attention is warranted to protect confidential media and maintain compliance with privacy obligations.

RECOMMENDATION:

  • We recommend you to update QuMagie to version 2.9.1, QuMagie to version 2.10.0, License Center to version 2.0.42.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/qnap-qumagie-vulnerabilities/

[/emaillocker]
crossmenu