Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24717

CVE-2026-24717: QNAP Path Traversal Vulnerability

CVE-2026-24717 is a path traversal vulnerability affecting QNAP QTS and QuTS hero operating systems. Attackers with admin access can read unauthorized files. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-24717 Overview

CVE-2026-24717 is a path traversal vulnerability [CWE-22] affecting multiple QNAP operating system versions. An authenticated remote attacker with administrator privileges can exploit the flaw to read the contents of unexpected files or system data on the affected device. QNAP has released fixes across the QTS and QuTS hero product lines.

The vulnerability requires high privileges to exploit, which limits its practical attack surface. However, compromised or shared administrator credentials remain a realistic path to abuse on internet-exposed network-attached storage (NAS) devices.

Critical Impact

An authenticated administrator can traverse outside intended directories to read arbitrary files, exposing system configuration and sensitive data stored on the QNAP appliance.

Affected Products

  • QNAP QTS versions prior to 5.2.9.3492 build 20260507
  • QNAP QuTS hero h5.2.x prior to h5.2.9.3499 build 20260514 and h5.3.x prior to h5.3.4.3500 build 20260520
  • QNAP QuTS hero h6.0.x prior to h6.0.0.3459 build 20260409

Discovery Timeline

  • 2026-06-10 - CVE-2026-24717 published to the National Vulnerability Database (NVD)
  • 2026-06-10 - Last updated in the NVD database

Technical Details for CVE-2026-24717

Vulnerability Analysis

The issue is a path traversal weakness in QNAP operating system components. The vulnerable code paths fail to properly normalize or constrain user-supplied path input before resolving it against the file system. An authenticated administrator can submit crafted relative path segments such as ../ sequences to escape the intended working directory.

Successful exploitation allows the attacker to read files outside the intended scope, including system configuration files and other sensitive data accessible to the service process. The vulnerability does not directly grant write access or code execution based on the available impact metrics, which show confidentiality impact only.

Because the attack vector is network-based and exploitation requires authentication as an administrator, the practical risk concentrates on devices where administrator credentials are weak, reused, or already compromised through phishing or credential stuffing.

Root Cause

The root cause is insufficient input validation on file path parameters processed by the QNAP operating system. Path components are not canonicalized prior to being concatenated with a base directory, allowing relative traversal sequences to resolve to locations outside the intended scope.

Attack Vector

An attacker authenticates to the QNAP web management interface or API with administrator credentials. The attacker then issues a request to a vulnerable endpoint, supplying a path parameter that includes traversal sequences. The server resolves the path against the underlying file system and returns the contents of the targeted file. No user interaction is required beyond the attacker's own authentication.

No verified public exploit code is available for CVE-2026-24717. Technical details are limited to the vendor advisory. See the QNAP Security Advisory QSA-26-34 for the official disclosure.

Detection Methods for CVE-2026-24717

Indicators of Compromise

  • HTTP requests to QNAP management endpoints containing encoded or literal ../ sequences in path or filename parameters.
  • Administrator session activity originating from unfamiliar IP addresses or geographies, particularly outside business hours.
  • Access to system files such as /etc/shadow, /etc/config/, or other paths outside expected NAS share locations recorded in QNAP logs.

Detection Strategies

  • Monitor QNAP web access logs for request parameters containing traversal patterns including ..%2f, ..\, and double-encoded variants.
  • Correlate administrator logins with subsequent file-read operations targeting non-share paths to identify abnormal post-authentication behavior.
  • Alert on bulk read activity by administrator accounts against system configuration directories.

Monitoring Recommendations

  • Forward QNAP system and access logs to a centralized log platform for retention and correlation across the fleet.
  • Track failed and successful administrator authentication events to detect credential brute force preceding exploitation.
  • Establish a baseline of normal administrator file access patterns and alert on deviations.

How to Mitigate CVE-2026-24717

Immediate Actions Required

  • Upgrade affected QNAP devices to the fixed firmware versions listed by the vendor without delay.
  • Audit administrator accounts on all QNAP appliances and remove or disable any that are unused or unnecessary.
  • Rotate administrator passwords and enforce two-factor authentication for all administrative access.
  • Restrict management interface exposure to trusted internal networks or a VPN, removing direct internet exposure.

Patch Information

QNAP has addressed CVE-2026-24717 in the following releases:

  • QTS 5.2.9.3492 build 20260507 and later
  • QuTS hero h5.2.9.3499 build 20260514 and later
  • QuTS hero h5.3.4.3500 build 20260520 and later
  • QuTS hero h6.0.0.3459 build 20260409 and later

Apply updates through the QNAP Desktop by navigating to Control Panel > System > Firmware Update, or download the firmware from the QNAP Security Advisory QSA-26-34.

Workarounds

  • Place QNAP management interfaces behind a VPN or restrict access using IP allow-lists until patches are applied.
  • Disable remote administrator login and any unused services on the appliance to reduce the exploitable surface.
  • Enforce strong, unique passwords and multi-factor authentication on every administrator account.
bash
# Verify the current QNAP firmware version from the CLI
getcfg System Version
getcfg System "Build Number"

# Restrict the admin web interface to a trusted management subnet
# Example iptables rule applied via the QNAP firewall configuration
iptables -A INPUT -p tcp --dport 8080 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne