Résumé
motionEye: Authentication possible via password hash
Détails de l’avis
Summary
An authentication bypass vulnerability exists due to improper trust in client-controlled cookies. The application accepts user-supplied cookie values containing a username and password-hash-derived value as sufficient authentication material. These cookies can be set or modified prior to login, allowing an unauthenticated attacker to impersonate arbitrary users without knowledge of the plaintext password. This issue stems from the absence of server-side validation of authentication state and reliance on attacker-controlled cookie data
Details
The vulnerability arises because the application accepts the client-supplied cookies named meye_password_hash and meye_username as sufficient authentication material. The server does not validate these values against a server-side session or enforce proper authentication checks before establishing an authenticated state. As a result, an unauthenticated attacker can set or modify these cookies to impersonate another user if the target username and corresponding hash are known.
These cookies normally appear after using the "switch user" functionality; however, they can be added manually prior to authentication using standard browser tools (e.g., developer tools or cookie editors) or dynamically loaded by submitting blank credentials. When supplied, the server accepts them and authenticates the attacker as the specified user bypassing the intended authentication flow
Additionally, the password-hash value and username for the admin account used by the application is stored in /etc/motioneye/motion.conf which is globally readable by default on the local system. This means any local user with shell access can obtain a valid hash and values and use them to impersonate the admin via the cookie manipulation described above. While local access is required to retrieve the hash, this significantly lowers the barrier to exploitation in multi-user environments.
PoC
Starting state unauthenticated with no cookies:
After manually adding or submitting blank credentials to get the cookies loaded:
Adding the credentials and refreshing the page gives us a valid session:
version information and session interaction validation
Impact
Authentication bypass
Who is impacted?
Any MotionEye deployment where attackers have access to a username and hash, and/or the /etc/motioneye/motion.conf file with the admin username and hash.
Potential consequences:
- Account lockouts
- Attacker persistence by changing the password
- Enumeration of data
- Destruction of data
- Exfiltration of data
Références
Vulnérabilités liées
Tout Supply chain →- MEDIUMCVE-2026-44584
Paymenter doesn't reset email verification status after email change
- CRITICALSC-GHA-OIDC-MISCONFIG-2021
This class covers overly permissive cloud IAM trust policies that federate with GitHub's OIDC provider (token.actions.githubusercontent.com) but fail to constrain which workload may assume the role. The cloud role validates the OIDC token but checks only the audience claim (for example sts.amazonaws.com) while omitting the token.actions.githubusercontent.com:sub condition, or it uses a broad wildcard such as repo:org/* or a StringLike pattern instead of StringEquals, so any branch, any fork, or even an attacker-owned repository can mint a valid GitHub OIDC token and exchange it for cloud credentials. Because the sub claim encodes repository, branch, tag, and environment, dropping or loosening it removes the only binding between the role and the intended pipeline, yielding full assumption of the trusted role. Tinder Security Labs documented this in their AWS OIDC research, finding multiple real AWS roles assumable from unauthorized repositories due to missing subject validation, with the successful assumptions visible in CloudTrail. GitHub's OIDC support and the configure-aws-credentials path shipped in 2021, making this a long-standing systemic configuration risk.
- CRITICALSC-KASEYA-VSA-2021
On 2 July 2021, the Friday before the US holiday weekend, the REvil ransomware gang exploited a chain of zero-day flaws in Kaseya VSA, starting with CVE-2021-30116 (an unauthenticated credential leak), in a remote-monitoring-and-management tool used by managed service providers. By abusing VSA's trusted software-deployment mechanism, REvil pushed its encryptor through roughly 50 to 60 MSPs down to about 1,500 of their downstream business customers in one cascading supply-chain hit, including Sweden's Coop grocery chain, which closed about 800 stores. REvil demanded $70 million for a universal decryptor; a decryptor key was ultimately obtained and distributed without payment. It is the lesson that the management tools with the most reach are the highest-value targets and need the strongest controls.
- HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
- HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download