Description
Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.
Published: 2026-03-25
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Storage Exhaustion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the firmware upload functionality of Nanoleaf Lines 12.3.2, which does not authenticate incoming firmware files. An attacker can remotely upload arbitrary firmware, forcing the device to write data to storage until capacity is exhausted. This leads to a denial of service by exhausting available storage and potentially rendering the device inoperable. The weakness corresponds to CWE-400: Uncontrolled Resource Consumption.

Affected Systems

The affected product is Nanoleaf Lines, specifically shipping firmware version 12.3.2 (and any intermediate releases up to 12.3.5). All devices running these firmware versions that allow firmware uploads are vulnerable. The issue is resolved in firmware 12.3.6.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. No EPSS score is available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The description confirms that an unauthenticated attacker can remotely exploit the flaw by uploading firmware, which suggests that the attack vector is network-based and requires no local privileges. While the impact is limited to resource exhaustion, repeated exploitation could disrupt the device's normal operation.

Generated by OpenCVE AI on March 25, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nanoleaf Lines firmware to version 12.3.6 or later.

Generated by OpenCVE AI on March 25, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nanoleaf
Nanoleaf lines
Vendors & Products Nanoleaf
Nanoleaf lines

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.
Title Nanoleaf Lines unauthenticated firmware file store
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nanoleaf Lines
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-25T15:53:45.320Z

Reserved: 2026-03-18T15:41:17.786Z

Link: CVE-2026-33268

cve-icon Vulnrichment

Updated: 2026-03-25T14:50:50.928Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T15:16:48.280

Modified: 2026-03-25T16:16:21.793

Link: CVE-2026-33268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:43:04Z

Weaknesses