CVE-2026-55488

Name of the Vulnerable Software and Affected Versions motionEye versions prior to 0.44.0

Description An absolute path traversal issue exists in multiple media file handlers within the media playback and download functionality. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using the os.path.join() function. When an absolute path is provided, Python discards the configured media directory and returns the attacker-supplied path directly. The application further bypasses Tornado's built-in path validation by overriding safety checks in the get absolute path() and validate absolute path() functions. This allows an attacker to read arbitrary files from the filesystem that the motionEye process has permissions to access. The issue affects the following endpoints:

Recommendations Update to version 0.44.0.