CVE-2026-24717: QNAP Path Traversal Vulnerability (QTS / QuTS hero)
A path traversal vulnerability in QNAP operating systems allows an attacker who already has administrator credentials to read files and system data they shouldn't have access to. While the attacker needs valid admin account access first, once obtained, they can bypass file access restrictions to view sensitive information. QNAP has released patched versions across multiple OS lines to fix this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-30
NVD description (verbatim)
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24717 is a CWE-22 (improper limitation of a pathname to a restricted directory) vulnerability affecting QNAP QTS and QuTS hero distributions. The flaw enables path traversal attacks when executed by an authenticated administrator-level user, permitting unauthorized file system traversal and data disclosure. The vulnerability does not impact system integrity or availability—only confidentiality of stored data is at risk. QNAP has published patches across four affected version streams with build dates ranging from April through May 2026.
Business impact
Organizations using vulnerable QNAP NAS appliances face insider risk and privilege abuse scenarios. An administrator account compromise—whether through credential theft, insider threat, or supply chain attack—becomes significantly more damaging, as attackers gain unfettered read access to configuration files, credentials, and backup data often stored on NAS systems. For enterprises managing sensitive customer data or intellectual property on QNAP infrastructure, this creates a secondary breach vector post-compromise. Data theft impact could be substantial depending on what information is stored on affected systems.
Affected systems
The vulnerability affects QNAP QTS and QuTS hero operating system families. Specifically: QTS versions prior to 5.2.9.3492 build 20260507; QuTS hero h5.2.9.3499 build 20260514 and earlier; QuTS hero h5.3.4.3500 build 20260520 and earlier; and QuTS hero h6.0.0.3459 build 20260409 and earlier. Organizations should inventory their QNAP appliances by OS version and build number to identify exposure. The vulnerability is OS-level, affecting any hardware model running these operating system versions.
Exploitability
Exploitation requires two preconditions: the attacker must possess valid administrator credentials, and they must have network access to the QNAP management interface. This makes the vulnerability medium-criticality from a standalone perspective—it is not remotely exploitable by anonymous attackers. However, the threshold for an attacker with admin access is low; path traversal is a straightforward technique to execute once authentication is bypassed. The CVSS 3.1 score of 6.5 reflects the high privilege requirement but acknowledges the significant confidentiality impact if those credentials are compromised.
Remediation
Apply the patched OS versions specified by QNAP: upgrade to QTS 5.2.9.3492 build 20260507 or later, QuTS hero h5.2.9.3499 build 20260514 or later, QuTS hero h5.3.4.3500 build 20260520 or later, or QuTS hero h6.0.0.3459 build 20260409 or later. Before patching, verify compatibility with your deployed models and any running services. Test in a non-production environment if feasible.
Patch guidance
Review QNAP's official security advisory for your specific QuTS hero or QTS version line to confirm the exact patched build number. Most QNAP appliances support over-the-air updates through the System Settings interface. Schedule patching during a maintenance window, as updates may require service restart. For organizations running multiple appliances, prioritize systems storing sensitive data or hosting business-critical backups. Verify successful patch application by checking the OS build version post-update to confirm it meets or exceeds the fixed build dates provided.
Detection guidance
Monitor QNAP appliance logs for unusual file system access patterns initiated by administrator-level sessions, particularly queries to configuration directories or system files outside normal administrative workflows. Review access control logs if your QNAP model supports them. Threat hunting should focus on identifying whether administrator accounts have been compromised by correlating login times with abnormal data access or suspicious file reads. Security teams should also audit credential management practices to detect weak admin passwords or shared credentials that could be harvested.
Why prioritize this
Although classified as MEDIUM severity and not yet in CISA's Known Exploited Vulnerabilities catalog, this vulnerability deserves timely attention because (1) NAS systems are high-value targets for data theft, (2) compromised admin credentials are a realistic threat in most environments, and (3) the remediation is straightforward through patching. Prioritize based on whether your organization stores regulated or confidential data on QNAP infrastructure and the maturity of your credential management practices. For organizations with strong privileged access governance, this is lower-priority; for those with shared or reused admin accounts, it warrants faster remediation.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects a vulnerability requiring high privilege level to exploit (PR:H) but delivering high confidentiality impact (C:H) over a network vector. The absence of integrity impact (I:H is present in the vector, but realistically path traversal is read-only) and availability impact, combined with the mandatory admin credential requirement, prevents a higher rating. Organizations should not underestimate medium-severity flaws affecting data-tier infrastructure; context matters as much as the numeric score.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated attackers?
No. The vulnerability requires a valid administrator account on the QNAP system. An attacker must first obtain admin credentials through credential theft, phishing, insider action, or account compromise. It is not remotely exploitable by anonymous users.
What files or data can an attacker access via path traversal?
The vulnerability allows reading of unexpected files and system data. Depending on file system permissions, this could include configuration files, system logs, backup metadata, or stored credentials. The specific data accessible depends on what files exist on the system and their permissions.
Is there a workaround if I cannot patch immediately?
The primary mitigation is to enforce strong administrator account security: use unique, complex passwords; disable unnecessary admin accounts; implement account lockout policies; and monitor for unauthorized admin logins. However, patching remains the definitive fix and should be prioritized.
Will patching my NAS require downtime?
Most QNAP updates can be applied through the web interface and may require a system restart. The exact downtime depends on your hardware, the update size, and current workload. Test the update process in your environment or consult QNAP support for your specific model to estimate duration.
This analysis is for informational purposes and should not be considered a substitute for vendor advisories or your organization's own risk assessment. CVSS scores and patch versions cited here are derived from the published CVE record and vendor guidance; always verify against the latest official QNAP security advisory before applying patches. No guarantee is provided that patches are available for all hardware models or that patching will not affect dependent services. Organizations should test updates in non-production environments and consult QNAP support for compatibility with legacy or specialized deployments. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-62851MEDIUMQNAP License Center Path Traversal Vulnerability – CVSS 4.4
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2022-50953MEDIUMWordPress admin-word-count-column Plugin Local File Read Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)