EXECUTIVE SUMMARY:
CVE-2026-55488 with a CVSS score of 7.5 is a path traversal flaw in the motionEye web UI affecting all releases prior to version. The vulnerability resides in the media playback, download, and preview handlers, where a user‑controlled filename parameter is concatenated with the configured media directory using Python’s os.path.join(); when an absolute path is supplied, the join discards the intended directory and the overridden get_absolute_path and validate_absolute_path methods bypass Tornado’s built‑in safety checks, allowing the server to read any file that the motionEye process can access. An attacker can exploit this by sending a crafted HTTP GET request such as GET /movie/1/playback//etc/motioneye/motion.conf to the vulnerable host, requiring only network access to the web interface and no authentication if the UI is exposed. Successful exploitation grants the attacker read access to arbitrary files, potentially exposing configuration secrets, credentials, or other sensitive data. The business impact includes loss of confidentiality, facilitation of further lateral movement, and compliance violations, especially for environments that store critical surveillance footage or system settings. Exploitation is contingent on the application running with sufficient filesystem privileges and the attacker being able to reach the vulnerable endpoint over the network.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55488 with a CVSS score of 7.5 is a path traversal flaw in the motionEye web UI affecting all releases prior to version. The vulnerability resides in the media playback, download, and preview handlers, where a user‑controlled filename parameter is concatenated with the configured media directory using Python’s os.path.join(); when an absolute path is supplied, the join discards the intended directory and the overridden get_absolute_path and validate_absolute_path methods bypass Tornado’s built‑in safety checks, allowing the server to read any file that the motionEye process can access. An attacker can exploit this by sending a crafted HTTP GET request such as GET /movie/1/playback//etc/motioneye/motion.conf to the vulnerable host, requiring only network access to the web interface and no authentication if the UI is exposed. Successful exploitation grants the attacker read access to arbitrary files, potentially exposing configuration secrets, credentials, or other sensitive data. The business impact includes loss of confidentiality, facilitation of further lateral movement, and compliance violations, especially for environments that store critical surveillance footage or system settings. Exploitation is contingent on the application running with sufficient filesystem privileges and the attacker being able to reach the vulnerable endpoint over the network.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rw9q-97r9-8gvh