Critical QNAP TS-453E RCE Vulnerability (CVE-2026-22898) Allows Unauthenticated Code Execution
A critical unauthenticated remote code execution vulnerability in QNAP TS-453E devices running the QVRPro Plugin allows network-adjacent attackers to execute arbitrary code as the postgres user.
A critical unauthenticated remote code execution vulnerability has been disclosed in QNAP TS-453E network-attached storage devices running the QVRPro Plugin. Tracked as CVE-2026-22898 and assigned a CVSS score of 8.8, the flaw allows network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication. The vulnerability was reported by researchers Daniel FREDERIC, Julien COHEN-SCALI, and Patrick VENTUZELO from Fuzzinglabs and disclosed through the Zero Day Initiative (ZDI) on April 15, 2026.
The specific flaw exists within the QVRPro Plugin, a surveillance application for QNAP NAS devices. The issue results from an exposed dangerous method in the excpostgres component. An attacker on the same network can exploit this vulnerability to execute code in the context of the postgres user, which has significant system privileges. The attack vector is network-adjacent, meaning the attacker must be on the same local network as the target device, but no authentication is required.
The impact of successful exploitation is severe. An attacker could gain full control over the affected QNAP TS-453E device, potentially accessing, modifying, or deleting stored data, installing malware, or using the compromised device as a pivot point for further attacks on the network. Given that QNAP NAS devices are commonly used in small offices and home environments for data storage and surveillance, the potential for data theft or ransomware deployment is significant.
QNAP has issued a security update to address this vulnerability. The fix is detailed in QNAP security advisory QSA-26-07, available at https://www.qnap.com/en-ca/security-advisory/qsa-26-07. Users of QNAP TS-453E devices running the QVRPro Plugin are strongly advised to apply the update immediately. The disclosure timeline shows the vulnerability was reported to QNAP on January 22, 2026, with coordinated public release on April 15, 2026.
This vulnerability highlights the ongoing risks associated with exposed dangerous methods in network-connected devices. As NAS devices become increasingly integrated into home and business networks through applications like QVRPro, the attack surface expands. The fact that the flaw requires no authentication and allows code execution as a privileged user makes it particularly dangerous. QNAP has a history of similar vulnerabilities in its surveillance and multimedia applications, underscoring the need for regular security updates and network segmentation for IoT and NAS devices.