PT-2026-51647 · Motioneye · Motioneye

Published

2026-06-23

·

Updated

2026-06-23

·

CVE-2026-55863

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions motionEye version 0.43.1
Description The ActionHandler.post() function in the motioneye/handlers/action.py file lacks an authentication decorator. This allows an unauthenticated attacker to trigger camera actions via the /action/{camera id}/{action} endpoint. Affected actions include taking snapshots, starting or stopping recordings, and executing configured action scripts such as PTZ (Pan-Tilt-Zoom) controls, alarm triggers, and lighting changes. This could lead to a physical security bypass or Server-Side Request Forgery (SSRF) when triggering actions on remote servers.
Recommendations For version 0.43.1, apply the @BaseHandler.auth() decorator to the post() function within the ActionHandler class to require authentication. As a temporary workaround, restrict network access to the motionEye server to trusted IP addresses to minimize the risk of unauthorized access to the /action/ endpoint.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55863
GHSA-J67X-Q29F-QCVV

Affected Products

Motioneye