Skip to main content

motionEye CVE-2026-46488

CRITICAL
Plaintext Storage of a Password (CWE-256)
2026-06-22 https://github.com/motioneye-project/motioneye GHSA-r3cw-c95m-wfh9
Share

Severity by source

vuln.today AI
8.1 HIGH

Network-exploitable with no auth or UI, but requires prior knowledge of the password hash (local file read or leak), so AC:H; full admin takeover yields high C/I/A.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 21:21 vuln.today
Analysis Generated
Jun 22, 2026 - 21:21 vuln.today

DescriptionCVE.org

Summary

An authentication bypass vulnerability exists due to improper trust in client-controlled cookies. The application accepts user-supplied cookie values containing a username and password-hash-derived value as sufficient authentication material. These cookies can be set or modified prior to login, allowing an unauthenticated attacker to impersonate arbitrary users without knowledge of the plaintext password. This issue stems from the absence of server-side validation of authentication state and reliance on attacker-controlled cookie data

Details

The vulnerability arises because the application accepts the client-supplied cookies named meye_password_hash and meye_username as sufficient authentication material. The server does not validate these values against a server-side session or enforce proper authentication checks before establishing an authenticated state. As a result, an unauthenticated attacker can set or modify these cookies to impersonate another user if the target username and corresponding hash are known.

These cookies normally appear after using the "switch user" functionality; however, they can be added manually prior to authentication using standard browser tools (e.g., developer tools or cookie editors) or dynamically loaded by submitting blank credentials. When supplied, the server accepts them and authenticates the attacker as the specified user bypassing the intended authentication flow

Additionally, the password-hash value and username for the admin account used by the application is stored in /etc/motioneye/motion.conf which is globally readable by default on the local system. This means any local user with shell access can obtain a valid hash and values and use them to impersonate the admin via the cookie manipulation described above. While local access is required to retrieve the hash, this significantly lowers the barrier to exploitation in multi-user environments.

PoC

Starting state unauthenticated with no cookies: <img width="644" height="475" alt="start state" src="https://github.com/user-attachments/assets/cf4aff78-65f7-4f67-99e2-9134c8f04277" />

After manually adding or submitting blank credentials to get the cookies loaded: <img width="643" height="470" alt="empty cookies" src="https://github.com/user-attachments/assets/223878eb-f085-4ac5-a92a-2ac21831c594" />

Adding the credentials and refreshing the page gives us a valid session: <img width="641" height="466" alt="admin login with hash" src="https://github.com/user-attachments/assets/94b350ef-dd32-4cae-8bd8-e48841873f79" />

version information and session interaction validation <img width="643" height="468" alt="verison" src="https://github.com/user-attachments/assets/94290ad6-4e82-4026-8e27-5374e2f3a631" />

Impact

Authentication bypass

Who is impacted?

Any MotionEye deployment where attackers have access to a username and hash, and/or the /etc/motioneye/motion.conf file with the admin username and hash.

Potential consequences:

  • Account lockouts
  • Attacker persistence by changing the password
  • Enumeration of data
  • Destruction of data
  • Exfiltration of data

AnalysisAI

Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed motionEye instance
Delivery
Obtain admin hash from motion.conf or leak
Exploit
Set meye_username and meye_password_hash cookies
Execution
Reload page to establish admin session
Persist
Change password for persistence
Impact
Access/exfiltrate camera feeds and stored footage

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the motionEye web interface AND knowledge of a target username (admin is default) plus its corresponding password-hash value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is provided in the input, and the CVE is not listed in CISA KEV, so quantitative signals are limited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to motionEye (e.g., an exposed surveillance dashboard on a home or small-business LAN, or an internet-exposed instance) opens the login page, uses browser dev tools to inject meye_username=admin and meye_password_hash=<known or recovered hash>, and refreshes - gaining an authenticated admin session. Alternatively, a low-privileged local user on the host reads /etc/motioneye/motion.conf, lifts the admin hash, and uses the same cookie trick to take over the web UI, then changes the password to lock out the legitimate admin and pivots to view/exfiltrate camera footage. …
Remediation Vendor-released patch: upgrade motionEye to version 0.44.0 or later (pip install --upgrade motioneye) as published in GHSA-r3cw-c95m-wfh9 (https://github.com/motioneye-project/motioneye/security/advisories/GHSA-r3cw-c95m-wfh9). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all motionEye instances and version numbers, isolate web interfaces from untrusted networks via firewall rules, and enable detailed access logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy