CVE-2026-3091 is a vulnerability classified as an uncontrolled search path element issue affecting Synology Presto Client versions prior to 2.1.3-0672. The flaw arises because the installer process does not securely handle the search path for DLL loading, allowing a local attacker to place a malicious DLL in the same directory as the installer executable. When the installer runs, it loads the attacker's DLL instead of the legitimate one, enabling arbitrary file read or write operations during installation. This can lead to unauthorized access or modification of files, potentially compromising system confidentiality, integrity, and availability. Exploitation requires local user privileges, elevated permissions, and user interaction to execute the installer. The vulnerability has a CVSS v3.1 base score of 6.7, reflecting medium severity due to the combination of local attack vector, required privileges, and user interaction. No public exploits have been reported yet, but the vulnerability poses a risk in environments where local access is possible and Synology Presto Client is used. The issue underscores the importance of secure DLL search path handling to prevent DLL hijacking attacks during software installation.

The vulnerability allows local attackers to execute arbitrary code or manipulate files during the installation process by placing malicious DLLs, potentially leading to unauthorized disclosure, modification, or destruction of data. This can compromise system confidentiality, integrity, and availability. Organizations relying on Synology Presto Client for data transfer or backup may face risks of data breaches, system instability, or persistent malware installation. Although exploitation requires local access and user interaction, insider threats or compromised user accounts could leverage this flaw to escalate privileges or disrupt operations. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk in environments with multiple users or insufficient endpoint security controls.

To mitigate this vulnerability, organizations should immediately update Synology Presto Client to version 2.1.3-0672 or later where the issue is resolved. Restrict local system access to trusted users only and enforce the principle of least privilege to minimize the risk of local exploitation. Implement application whitelisting and endpoint protection solutions that can detect and block unauthorized DLL loading or suspicious installer behavior. Educate users to avoid running installers from untrusted locations and verify installer integrity before execution. Additionally, system administrators should monitor installation directories for unauthorized DLL files and employ file integrity monitoring tools. Where possible, conduct installations in controlled environments and avoid running installers with elevated privileges unless necessary. Regularly audit local user accounts and permissions to reduce the attack surface.