{"api_version":"1","generated_at":"2026-06-25T17:56:51+00:00","cve":"CVE-2026-32315","urls":{"html":"https://cve.report/CVE-2026-32315","api":"https://cve.report/api/cve/CVE-2026-32315.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-32315","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-32315"},"summary":{"title":"motionEye: World-Readable Configuration File Exposes Admin Password Hash","description":"motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-24 21:16:53","updated_at":"2026-06-25 13:16:38"},"problem_types":["CWE-200","CWE-522","CWE-732","CWE-732 CWE-732: Incorrect Permission Assignment for Critical Resource","CWE-522 CWE-522: Insufficiently Protected Credentials","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/motioneye-project/motioneye/releases/tag/0.44.0","name":"https://github.com/motioneye-project/motioneye/releases/tag/0.44.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67","name":"https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-32315","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32315","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"motioneye-project","product":"motioneye","version":"affected < 0.44.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-32315","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-25T12:36:16.343159Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-25T12:36:19.974Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"motioneye","vendor":"motioneye-project","versions":[{"status":"affected","version":"< 0.44.0"}]}],"descriptions":[{"lang":"en","value":"motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-732","description":"CWE-732: Incorrect Permission Assignment for Critical Resource","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-522","description":"CWE-522: Insufficiently Protected Credentials","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T20:45:34.326Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67","tags":["x_refsource_CONFIRM"],"url":"https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67"},{"name":"https://github.com/motioneye-project/motioneye/releases/tag/0.44.0","tags":["x_refsource_MISC"],"url":"https://github.com/motioneye-project/motioneye/releases/tag/0.44.0"}],"source":{"advisory":"GHSA-rhgp-6wq6-9j67","discovery":"UNKNOWN"},"title":"motionEye: World-Readable Configuration File Exposes Admin Password Hash"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-32315","datePublished":"2026-06-24T20:45:34.326Z","dateReserved":"2026-03-11T21:16:21.660Z","dateUpdated":"2026-06-25T12:36:19.974Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 21:16:53","lastModifiedDate":"2026-06-25 13:16:38","problem_types":["CWE-200","CWE-522","CWE-732","CWE-732 CWE-732: Incorrect Permission Assignment for Critical Resource","CWE-522 CWE-522: Insufficiently Protected Credentials","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-25T12:36:16.343159Z","id":"CVE-2026-32315","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"32315","Ordinal":"1","Title":"motionEye: World-Readable Configuration File Exposes Admin Passw","CVE":"CVE-2026-32315","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"32315","Ordinal":"1","NoteData":"motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0.","Type":"Description","Title":"motionEye: World-Readable Configuration File Exposes Admin Passw"}]}}}