Medium severity6.8NVD Advisory· Published May 27, 2026

CVE-2024-11399

Description

Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A files/directories accessible to external parties vulnerability in Synology BeeDrive's redis-server component allows local users to cause denial-of-service.

Vulnerability

A CWE-552 vulnerability exists in the redis-server component of Synology BeeDrive for desktop versions before 1.3.2-13814. The issue allows files or directories to be accessible to external parties, enabling a local user to conduct denial-of-service attacks via unspecified vectors [1].

Exploitation

An attacker with local access to the system (no authentication required, as per CVSS vector AV:L/AC:L/PR:N/UI:N) can exploit this vulnerability by accessing files or directories that should not be exposed. The exact vectors are not disclosed, but the condition is reachable without user interaction or special privileges [1].

Impact

Successful exploitation results in a denial-of-service condition, affecting the availability of the redis-server component. The CVSS score indicates high availability impact (A:H) and low integrity impact (I:L), with no confidentiality impact (C:N). The attacker does not gain elevated privileges but can disrupt service [1].

Mitigation

Synology has released a fixed version: upgrade to BeeDrive for desktop 1.3.2-13814 or above. No workaround is available. The advisory was initially published on 2024-11-26, with details disclosed on 2026-05-27 [1].

References

Synology_SA_24_26 | Synology Inc.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Synology/BeeDrivellm-fuzzy
Range: <1.3.2-13814

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.synology.com/en-global/security/advisory/Synology_SA_24_26nvd

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000