MEDIUMCVE-2026-22898

CVE-2026-22898: Missing Auth in QVR Pro

Platform

qnap

Component

qvr-pro

Fixed in

2.7.4.14

AI Confidence: high

NVD

EPSS 0.4%

Reviewed: May 2026

View on NVD

Save

CVE-2026-22898 describes a critical missing authentication vulnerability affecting QVR Pro versions 2.7.0 through 2.7.4.14. Successful exploitation allows remote attackers to gain unauthorized access to the system. This vulnerability has been addressed in QVR Pro version 2.7.4.14 and subsequent releases.

Impact and Attack Scenarios

The missing authentication control allows attackers to bypass security measures and directly interact with sensitive system functions within QVR Pro. This could lead to unauthorized data access, modification, or deletion, potentially compromising the integrity and confidentiality of video recordings and related metadata. Depending on the system configuration, an attacker could also leverage this access to move laterally within the network, impacting other connected devices and services. The blast radius extends to any data or functionality accessible through the QVR Pro interface.

Exploitation Context

CVE-2026-22898 was publicly disclosed on 2026-03-20. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor QNAP security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports3 threat reports

EPSS

0.44% (63% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

Affected Software

Componentqvr-pro

VendorQNAP Systems Inc.

Affected rangeFixed in

2.7.x – 2.7.4.142.7.4.14

Weakness Classification (CWE)

CWE-306

Timeline

Reserved2026-01-13
Published2026-03-20
Modified2026-03-27
EPSS updated2026-03-28

Mitigation and Workarounds

The primary mitigation for CVE-2026-22898 is to immediately upgrade QVR Pro to version 2.7.4.14 or a later, patched release. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter network segmentation to limit external access to the QVR Pro server. Review and strengthen firewall rules to restrict access to only authorized IP addresses. While a WAF might not directly address this authentication bypass, it can help detect and block suspicious traffic patterns associated with exploitation attempts. Verify that all default accounts have strong, unique passwords.

How to fix

Update QVR Pro to version 2.7.4.14 or later. This update corrects the missing authentication vulnerability that allows unauthorized access to the system.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22898 — Missing Auth in QVR Pro?

CVE-2026-22898 is a vulnerability in QVR Pro versions 2.7.0–2.7.4.14 where a critical function lacks authentication, allowing attackers to gain system access.

Am I affected by CVE-2026-22898 in QVR Pro?

If you are running QVR Pro versions 2.7.0 through 2.7.4.14, you are potentially affected by this vulnerability.

How do I fix CVE-2026-22898 in QVR Pro?

Upgrade QVR Pro to version 2.7.4.14 or a later version to address the missing authentication vulnerability.

Is CVE-2026-22898 being actively exploited?

Currently, there are no publicly known active exploitation campaigns, but it's crucial to apply the patch promptly.

Where can I find the official QNAP advisory for CVE-2026-22898?

Refer to the official QNAP security advisory for detailed information and updates regarding CVE-2026-22898.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs