Description
motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

motionEye is an online interface for motion software, a video surveillance program with motion detection. In all releases prior to 0.44.0, it creates the main configuration file /etc/motioneye/motion.conf and per‑camera camera‑*.conf files with world‑readable 644 permissions, allowing any local user to read them. These files contain sensitive data, such as the SHA1 admin password hash and camera credentials. An attacker who can read the files can crack the hash offline, use it to forge authenticated admin API requests via the signature authentication flaw (GHSA‑45h7‑499j‑7ww3), and chain it with the OS command injection vulnerability (CVE‑2025‑60787) to elevate a local unprivileged user to the Motion daemon user, often root, thereby enabling full system compromise. The issue was fixed in version 0.44.0, which sets proper 600 permissions and removes the exposure.

Affected Systems

The vulnerable product is motionEye (motioneye‑project) with all releases prior to version 0.44.0. The configuration files impacted are /etc/motioneye/motion.conf and any per‑camera camera‑*.conf files.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5, indicating moderate severity, and currently has no EPSS score and is not listed in CISA KEV, suggesting a lower likelihood of exploitation at large scales. The attack vector is local; a non‑privileged user who can log into the system can read the files, crack the admin hash offline, and chain this with other local exploits to gain full root access to the motion daemon.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to motionEye version 0.44.0 or later where file permissions are set to 600.
  • Manually change the permissions of existing /etc/motioneye/motion.conf and all camera‑*.conf files to 600 to prevent local read access.
  • Reset the admin password after upgrading to invalidate the old hash and mitigate potential reuse.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rhgp-6wq6-9j67 motionEye's World-Readable Configuration File Exposes Admin Password Hash
History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges. Additionally, per-camera configuration files (camera-*.conf) are also created with the same 644 permissions, potentially exposing camera-specific credentials and settings. The exposed SHA1 admin password hash can be cracked offline to recover the plaintext password, used directly to forge authenticated admin API requests via the signature authentication weakness (GHSA-45h7-499j-7ww3), and chained with the OS command injection flaw (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user (often root), enabling full system compromise. This issue has been fixed in version 0.44.0.
Title motionEye: World-Readable Configuration File Exposes Admin Password Hash
Weaknesses CWE-200
CWE-522
CWE-732
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T20:45:34.326Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32315

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-522

    Insufficiently Protected Credentials

  • CWE-732

    Incorrect Permission Assignment for Critical Resource