Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.
AnalysisAI
Nanoleaf Lines firmware versions prior to 12.3.6 lack authentication controls on firmware file upload endpoints, allowing remote unauthenticated attackers to upload arbitrary files to the device. This vulnerability enables denial-of-service attacks through storage resource exhaustion and potential firmware tampering without requiring valid credentials or user interaction. The vulnerability has a CVSS score of 6.5 (Medium) with network-based attack vector and low complexity, and is tagged with denial-of-service impact indicators in CISA reporting.
Technical ContextAI
The vulnerability exists in Nanoleaf Lines smart lighting controllers (CPE: cpe:2.3:a:nanoleaf:lines:*:*:*:*:*:*:*:*) which are IoT devices that manage LED light arrays through firmware and configuration updates. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption), specifically stemming from missing authentication mechanisms on firmware upload endpoints. The device firmware update process fails to verify the identity or authorization of upload requests before accepting and storing files, allowing any network-accessible attacker to submit malicious or oversized payloads that consume finite device storage resources without authentication or prior privilege escalation.
RemediationAI
Immediately upgrade Nanoleaf Lines devices to firmware version 12.3.6 or later, which patches the authentication bypass. Users should access device settings through the Nanoleaf mobile application or web interface to trigger firmware update checks, or manually download the latest firmware from the Nanoleaf support website and upload it through an authenticated session only after applying this patch. As a temporary workaround pending patch deployment, restrict network access to Nanoleaf Lines devices by implementing network segmentation (VLAN isolation or firewall rules limiting device access to trusted administrative subnets only) and disabling remote management features if available. Monitor device storage usage for signs of exploitation (unexpected file uploads consuming disk space). Refer to the CISA advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json for additional hardening guidance.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15421