CVE-2026-44083

Critical · CVSS 9.8

QuMagie — Authorization bypass through user-controlled key (IDOR / Broken Object Level Authorization)

CVSS: 9.8; nvd
EPSS: 0.06%; 20th pct
KEV: No
Class: other; CWE-639

Description

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later

Search profile — drives PoC discovery

Symbols QuMagieQSA-26-35CWE-639user-controlled keyauthorization bypass

Keywords CVE-2026-44083QuMagieauthorization bypassuser-controlled keyIDORQNAP QuMagieQSA-26-35privilege escalationCWE-639

Versions: QuMagie < 2.9.1

References

https://www.qnap.com/en/security-advisory/qsa-26-35

Status: enriched · ingested 2026-06-12T18:00:30.000Z · profiled 2026-06-16T18:20:23.035Z