CVE-2026-22894 is a path traversal vulnerability classified under CWE-22 affecting QNAP Systems Inc.'s File Station 5, specifically versions 5.5.x. The vulnerability allows an authenticated remote attacker to manipulate file path inputs to access files outside the intended directory scope, potentially reading sensitive system or user data that should be inaccessible. The flaw arises from insufficient validation or sanitization of file path parameters within the File Station 5 application, enabling directory traversal attacks. Exploitation requires the attacker to have a valid user account on the system, but no additional user interaction or elevated privileges are necessary. The vulnerability has a CVSS 4.0 base score of 1.3, reflecting low impact primarily due to the requirement for authentication and limited confidentiality impact. The vendor has addressed this issue in version 5.5.6.5190 and later, mitigating the risk by properly validating file paths to prevent traversal. No public exploits or active exploitation campaigns have been reported to date. The vulnerability could be leveraged by attackers who have gained user credentials, such as through phishing or credential stuffing, to escalate their access to sensitive files on affected QNAP NAS devices running File Station 5.

For European organizations, the primary impact of this vulnerability is unauthorized disclosure of sensitive files stored on QNAP NAS devices running vulnerable File Station 5 versions. This could include configuration files, user data, or system information that may aid further attacks or data breaches. While the vulnerability does not allow privilege escalation or remote code execution, the exposure of sensitive data can compromise confidentiality and potentially lead to compliance violations under GDPR if personal data is accessed. Organizations relying on QNAP NAS for critical file storage or backup may face operational risks if sensitive data is exposed. The requirement for valid user credentials limits the attack surface to insiders or attackers who have already compromised user accounts, but this still represents a significant risk in environments with weak authentication controls. Given the widespread use of QNAP devices in European SMBs and enterprises, the vulnerability could affect a broad range of sectors including finance, healthcare, and government, where data confidentiality is paramount.

European organizations should immediately verify the version of QNAP File Station 5 deployed and upgrade to version 5.5.6.5190 or later where the vulnerability is patched. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Regularly audit user accounts and permissions to ensure that only authorized personnel have access to File Station. Employ network segmentation to limit access to NAS devices from untrusted networks. Monitor access logs for unusual file access patterns that may indicate exploitation attempts. Additionally, consider deploying endpoint detection and response (EDR) solutions to detect lateral movement or suspicious activity related to NAS devices. Educate users on phishing and credential security to prevent initial account compromise. Finally, maintain up-to-date backups and incident response plans to quickly recover from any potential data exposure incidents.