CVE-2026-2237 PUBLISHED

Assigner: synology
Reserved: 09.02.2026 Published: 27.05.2026 Updated: 27.05.2026

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.2

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Synology
Product	Storage Manager
Versions	Default: affected affected from * to 1.0.1-1100 (excl.)

Credits

Simon Baaske (Serviceware) finder

References

Synology-SA-26:01 Storage Manager

Problem Types

Use of GET Request Method With Sensitive Query Strings CWE