Skip to main content

Yi Technology YI Home Camera CVE-2026-4476

| EUVDEUVD-2026-13598 LOW
Improper Authentication (CWE-287)
2026-03-20 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13598
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 07:16 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

The YI Home Camera 2 (version 2.1.1_20171024151200) CGI endpoint fails to properly authenticate requests to the /home/web/ipc function, allowing unauthenticated attackers on the local network to manipulate camera settings and access sensitive functionality. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with network access to the camera could read configuration data, modify settings, or disrupt normal operations.

Technical ContextAI

The vulnerability exists in the CGI (Common Gateway Interface) endpoint handling component of the Yi Home Camera 2's web interface, specifically the /home/web/ipc file. The root cause is classified under CWE-287 (Improper Authentication), indicating that the application fails to implement proper credential validation mechanisms for sensitive operations. CGI endpoints are commonly used in embedded devices to handle HTTP requests for configuration and control. The affected technology stack involves a custom web server implementation on the Yi Home Camera 2 hardware platform. Since the exact function is unknown, the vulnerability likely affects multiple CGI handlers that trust network proximity (local network requirement) as a security boundary rather than implementing proper authentication tokens, sessions, or cryptographic verification.

RemediationAI

The primary remediation is to upgrade the YI Home Camera 2 to a newer firmware version if available from Yi Technology; however, given the vendor's non-responsiveness to disclosure, official patched versions have not been confirmed. Until a vendor update is available, implement network-level compensating controls: restrict camera access to a dedicated VLAN or network segment with strict firewall rules, disable remote access to the camera from the internet, and disable the CGI endpoint if not required for essential functionality. For environments that cannot isolate the camera, consider replacing it with a device from a vendor with established security practices and responsive disclosure processes. Monitor network traffic to the camera for suspicious CGI requests to /home/web/ipc and implement intrusion detection signatures. Additional information and tracking is available through VulDB references: https://vuldb.com/?ctiid.351766 and https://vuldb.com/?id.351766.

Share

CVE-2026-4476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy