Synology DiskStation Manager Information Disclosure Vulnerability WID-SEC-2026-1261
Summary
CERT-Bund issued security advisory WID-SEC-2026-1261 disclosing an information disclosure vulnerability in Synology DiskStation Manager. The vulnerability, with CVSS Base Score 4.3 (medium) and Temporal Score 3.8 (low), allows a remote authenticated attacker to exploit the flaw and disclose information. Affected versions include DiskStation Manager versions prior to 7.3-81180, 7.2.2-72806-7, and 7.2.1-69057-10. A mitigation is available. Organizations using Synology NAS devices should verify their DSM versions and apply updates as needed.
“Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology DiskStation Manager ausnutzen, um Informationen offenzulegen.”
About this source
CERT-Bund is the German federal cybersecurity agency's incident response team, run by the BSI. Their advisory feed publishes vulnerability disclosures and active exploitation warnings for software in widespread enterprise use: VPN appliances, email servers, file transfer products, ERP systems, browsers, hypervisors. Around 280 advisories a month, each with a CVSS score, affected versions, and remediation guidance. The advisories are written in German but cover the same vulnerabilities that show up in CISA, NCSC-UK, and JPCERT bulletins, often hours earlier. Watch this if you patch enterprise software, run a SOC, or write detection rules. GovPing publishes each advisory with the affected vendor, CVSS score, and original CERT-Bund link.
What changed
CERT-Bund published security advisory WID-SEC-2026-1261 notifying of an information disclosure vulnerability in Synology DiskStation Manager. The vulnerability affects multiple versions across DSM 7.x releases and carries a CVSS Base Score of 4.3 (medium). The advisory confirms remote attack is possible and that a mitigation exists.
Organizations operating Synology NAS devices should identify their current DSM version and compare against the affected version thresholds. Where versions are below the patched releases (7.3-81180, 7.2.2-72806-7, 7.2.1-69057-10), updates should be applied. Given this is an authenticated-attack vector, organizations should also review access controls and user authentication configurations for DSM installations exposed to network access.
Archived snapshot
Apr 24, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1261] Synology DiskStation Manager: Schwachstelle ermöglicht Offenlegung von Informationen CVSS Base Score 4.3 (mittel) CVSS Temporal Score 3.8 (niedrig) Remoteangriff ja Datum 23.04.2026 Stand 24.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
Produktbeschreibung
DiskStation Manager (DSM) ist ein webbasiertes Betriebssystem für Synology NAS-Geräte.
Produkte
23.04.2026
- Synology DiskStation Manager <7.3-81180
Synology DiskStation Manager <7.2.2-72806-7
Synology DiskStation Manager <7.2.1-69057-10
Angriff
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology DiskStation Manager ausnutzen, um Informationen offenzulegen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Parties
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.