PT-2026-51647 · Motioneye · Motioneye
Published
2026-06-23
·
Updated
2026-06-23
·
CVE-2026-55863
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
motionEye version 0.43.1
Description
The
ActionHandler.post() function in the motioneye/handlers/action.py file lacks an authentication decorator. This allows an unauthenticated attacker to trigger camera actions via the /action/{camera id}/{action} endpoint. Affected actions include taking snapshots, starting or stopping recordings, and executing configured action scripts such as PTZ (Pan-Tilt-Zoom) controls, alarm triggers, and lighting changes. This could lead to a physical security bypass or Server-Side Request Forgery (SSRF) when triggering actions on remote servers.Recommendations
For version 0.43.1, apply the
@BaseHandler.auth() decorator to the post() function within the ActionHandler class to require authentication. As a temporary workaround, restrict network access to the motionEye server to trusted IP addresses to minimize the risk of unauthorized access to the /action/ endpoint.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Motioneye