CVE-2026-50244
Deferred Deferred - Pending Action

Registration Endpoint Enumeration in Naxclow Platform

Vulnerability report for CVE-2026-50244, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: ICS-CERT

Description

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the Naxclow platform involves a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier without verifying if the caller actually owns that account.

Each request to this endpoint mints a new sequential device identifier and returns the current high-water counter value for the batch, which allows an attacker to measure and enumerate the active device space precisely.

Because there is no validation of ownership, unauthorized users can exploit this behavior to enumerate devices in the system.

Impact Analysis

This vulnerability can impact you by allowing unauthorized parties to enumerate the active devices registered in the Naxclow platform.

Such precise fleet enumeration can lead to information disclosure, potentially aiding attackers in mapping the device landscape and planning further attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart