Description
motionEye (mEye) is an online interface for a piece of software called "motion," which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue.
Published: 2026-06-24
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in motionEye’s media file handlers lets an attacker provide an arbitrary file name, which the application joins into a path without proper validation. By using an absolute path in the filename, the handler ignores the configured media directory and returns the attacker‑supplied path directly. The application then bypasses Tornado’s path safety checks, allowing an attacker to read any file that the motionEye process can access. This results in disclosure of sensitive files, system logs, configuration data, or other confidential information, compromising confidentiality and potentially enabling further attacks. The weakness is an absolute path traversal, mapping to CWE‑22.

Affected Systems

All motionEye installations running a version before 0.44.0 are affected. The vendor product is motioneye‑project:motioneye, with the patch introduced in 0.44.0. Version 0.44.0 and later contain the fix, removing the unsafe concatenation of filenames.

Risk and Exploitability

The vulnerability has a CVSS score of 7.7, indicating a high severity. The EPSS score is not available, and the flaw is not currently listed in the CISA KEV catalog, suggesting no public exploitation yet. However, because the vulnerable code is exposed via HTTP media file handler endpoints, a remote attacker who can reach the motionEye web interface can craft a request with an absolute path filename to read arbitrary files, provided the process has the necessary filesystem permissions.

Generated by OpenCVE AI on June 24, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade motionEye to version 0.44.0 or later, which removes the unsafe path handling
  • Restrict access to the motionEye web interface so that only trusted networks or IP addresses can send HTTP requests
  • Run the motionEye process with the least privileges necessary, ensuring it cannot read sensitive system files

Generated by OpenCVE AI on June 24, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rw9q-97r9-8gvh motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
History

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Motioneye Project
Motioneye Project motioneye
Vendors & Products Motioneye Project
Motioneye Project motioneye

Wed, 24 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description motionEye (mEye) is an online interface for a piece of software called "motion," which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue.
Title motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Motioneye Project Motioneye
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T17:29:03.016Z

Reserved: 2026-06-16T22:28:27.062Z

Link: CVE-2026-55488

cve-icon Vulnrichment

Updated: 2026-06-24T16:03:46.527Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')