Description
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.
Published: 2026-06-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker with a valid platform request signature to query device relay registration details and extract persistent credentials for arbitrary devices. By using these credentials, the attacker can register on the device relay as the legitimate device, enabling interception of communications and potential disruption of device operation. The weakness is a missing authorization check, classified as CWE‑862, and can compromise both confidentiality and integrity of device data.

Affected Systems

The affected products are Naxclow Smart Doorbell X3, V720, X Smart Home, and ix cam, all running on the Naxclow IoT platform. Specific software versions are not disclosed in the available data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. EPSS is not available, but the CVE is not listed in the CISA KEV catalog. An attacker must possess a valid request signature; the likely attack vector is remote API access, where the attacker submits a signed request to the vulnerable endpoint and can retrieve device credentials.

Generated by OpenCVE AI on June 12, 2026 at 19:25 UTC.

Remediation

Vendor Solution

Naxclow did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Naxclow for more information.

OpenCVE Recommended Actions

  • Contact Naxclow for a patch or guidance on mitigation measures
  • Restrict API exposure to trusted devices and networks, disabling public access to the relay registration endpoint if possible
  • Enable detailed logging and monitor for unauthorized credential requests or registration attempts

Generated by OpenCVE AI on June 12, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home
Vendors & Products Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.
Title Naxclow IoT Platform Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Naxclow Ix Cam Smart Doorbell X3 V720 X Smart Home
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-12T19:01:28.533Z

Reserved: 2026-06-08T20:04:55.525Z

Link: CVE-2026-50108

cve-icon Vulnrichment

Updated: 2026-06-12T19:01:24.840Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:29.633

Modified: 2026-06-12T19:16:29.633

Link: CVE-2026-50108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:23Z

Weaknesses