Sensitive Information Disclosure in Synology Storage Manager
CVE-2026-2237

6.2MEDIUM

Key Information:

Vendor: Synology
Status: Storage Manager
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-2237?

A vulnerability exists in the volume encryption of Synology's Storage Manager package prior to version 1.0.1-1100. This flaw arises from the use of the GET request method with sensitive query strings, which could allow local attackers to gain unauthorized access to sensitive information stored within the system. Organizations using the affected versions are urged to update their software to the latest version to safeguard their data.

Affected Version(s)

Storage Manager *

References

https://www.synology.com/en-global/security/advisory/Syno...

vendor-advisory

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Feb 9, 2026

Credit

Simon Baaske (Serviceware)

CVE-2026-2237 Data

JSON