CVE-2026-31978

Name of the Vulnerable Software and Affected Versions motionEye version 0.43.1

Description An absolute path traversal issue exists in the picture and movie API endpoints, such as '/picture/{id}/preview/{filename}'. The vulnerability occurs because the API handlers and functions get media preview() and del media content() in mediafiles.py do not validate the filename parameter for .. sequences. This allows an authenticated user with normal privileges to read arbitrary files from the filesystem as the motionEye process user. The exploitation requires the use of %2F-encoded slashes, which are passed raw to os.path.join() by the Tornado URL router.

Recommendations As a temporary workaround, restrict access to the '/picture/{id}/preview/{filename}' API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.