CVE-2026-31978 - Vulnerability Details

Description

motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.

Published: 2026-06-24

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in motionEye’s picture and movie preview endpoints where the filename parameter is not sanitized for path traversal sequences. An authenticated user with normal, non‑admin privileges can request URLs such as /picture/1/preview/../../../../etc/passwd to read any filesystem file that the motionEye process can access. The data exposed may include system files (e.g., /etc/passwd, /etc/shadow), motionEye configuration files containing password hashes or plaintext passwords, SSH keys, and surveillance footage from other cameras. This leads to confidentiality compromise and the potential theft of credentials or sensitive media.

Affected Systems

motionEye Project’s motioneye application, versions prior to 0.44.0, is affected. All installations of the motioneye software that have not applied the 0.44.0 release are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so the precise exploitation probability is unclear. The vulnerability is not listed in CISA KEV. Although authentication is required, normal users have sufficient rights to trigger the exploit, making the threat surface wide. An attacker can read arbitrary files that the motionEye process can access, potentially exposing credentials and private data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

motioneye-project

motioneye

affected

Version	Status	Constraints
`< 0.44.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to motionEye version 0.44.0 or later where the path traversal check has been added.
Restrict the API endpoints or enforce stricter role‑based access control so that only administrators can access picture and movie preview URLs.
Ensure that the motionEye process user has the minimum necessary filesystem permissions to limit access to critical system files.

Generated by OpenCVE AI on June 25, 2026 at 00:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g9fx-5r4h-pcw3	motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/motioneye-project/motioneye/releases/tag/0.44.0
https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions such as get_media_preview() check for .. sequences in the filename parameter, except for get_media_content(). This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user, such as: /etc/passwd, /etc/shadow, motionEye config files containing password hashes and plaintext passwords, SSH keys, and other cameras' surveillance footage. This issue has been fixed in version 0.44.0.
Title		motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Weaknesses		CWE-22 CWE-284
References		https://github.com/motioneye-project/motioneye/releases/tag/0.44.0 https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-24T20:28:24.286Z

Updated: 2026-06-24T20:28:24.286Z

Reserved: 2026-03-10T15:40:10.487Z

Link: CVE-2026-31978

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:45:05Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object