CVE-2026-2237
Volume Encryption Information Disclosure in Synology Storage Manager
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Synology Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| synology | storage_manager | From 1.0.1-1100 (inc) |
| synology | storage_manager | From 7.2.1 (inc) to 1.0.1-1100 (exc) |
| synology | storage_manager | From 7.2.2 (inc) to 1.0.1-1100 (exc) |
| synology | storage_manager | From 7.3 (inc) to 1.0.1-1100 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local attackers to obtain sensitive information through the use of GET request methods with sensitive query strings in volume encryption. This exposure of sensitive information could potentially impact compliance with data protection standards such as GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access.
However, no specific information is provided regarding the direct impact on compliance with these regulations or any recommended mitigation steps beyond applying the security update.
Can you explain this vulnerability to me?
This vulnerability involves the use of the GET request method with sensitive query strings in the volume encryption feature of the Synology Storage Manager package before version 1.0.1-1100.
Because of this, local attackers can obtain sensitive information by exploiting how the system handles these GET requests.
How can this vulnerability impact me? :
The vulnerability allows local attackers to access sensitive information, which could lead to unauthorized disclosure of confidential data.
Since the vulnerability affects volume encryption, it may compromise the security of encrypted data stored on the affected Synology devices.
The CVSS base score of 6.2 indicates a moderate severity, meaning the impact is significant but does not allow for full system compromise or data modification.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Synology Storage Manager package to version 1.0.1-1100 or later.
This update addresses the vulnerability that allows local attackers to obtain sensitive information via GET request methods with sensitive query strings.