CVE-2026-55488
Received Received - Intake
Absolute Path Traversal in motionEye Video Surveillance

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
motionEye (mEye) is an online interface for a piece of software called "motion," which is a video surveillance program with motion detection. Versions prior to 0.44.0 contain an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks. As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process. Version 0.44.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-55488
EUVD
EUVD-2026-38804
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
motioneye_project motioneye to 0.44.0 (exc)
motion motion to 0.44.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-55488 vulnerability in motionEye versions prior to 0.44.0 is an absolute path traversal issue in multiple media file handlers. The application constructs filesystem paths using a user-controlled filename parameter with Python's os.path.join(), but this method fails to prevent absolute paths. When an absolute path is supplied, Python ignores the configured media directory, and the application bypasses Tornado's built-in path validation. This allows an attacker to read arbitrary files from the filesystem that the motionEye process has permission to access.

The vulnerability affects media playback, download, and preview functionalities through endpoints such as /movie/<camera_id>/playback/, /movie/<camera_id>/download/, /picture/<camera_id>/download/, and /picture/<camera_id>/preview/.

Impact Analysis

This vulnerability can allow an attacker to read any file on the filesystem that the motionEye process has permission to access. This includes potentially sensitive system files or other confidential data stored on the server running motionEye.

By exploiting this flaw, an attacker could gain unauthorized access to information that should be protected, leading to data leakage or further attacks depending on the contents of the accessed files.

Detection Guidance

This vulnerability can be detected by monitoring requests to the affected motionEye endpoints that handle media files, such as /movie/<camera_id>/playback/, /movie/<camera_id>/download/, /picture/<camera_id>/download/, and /picture/<camera_id>/preview/. Suspicious requests containing absolute paths or attempts to access files outside the configured media directory indicate exploitation attempts.

You can use network monitoring or web server logs to identify such requests. For example, using grep on access logs to find requests with suspicious path patterns:

  • grep -E "/movie/.+/playback/|/movie/.+/download/|/picture/.+/download/|/picture/.+/preview/" /var/log/nginx/access.log | grep -E "^GET .*\/([A-Za-z]:)?\/"

Additionally, you can use tools like curl or wget to test if absolute path traversal is possible by sending crafted requests with absolute file paths to these endpoints.

Mitigation Strategies

The immediate mitigation step is to upgrade motionEye to version 0.44.0 or later, where this absolute path traversal vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the affected endpoints by implementing network-level controls such as firewall rules or web server access restrictions to limit exposure.

Additionally, monitor logs for suspicious activity and consider disabling media playback, download, and preview functionalities if possible.

Compliance Impact

The vulnerability allows attackers to read arbitrary files on the filesystem that the motionEye process can access, including potentially sensitive system files. This unauthorized access to files could lead to exposure of personal or sensitive data.

Such unauthorized data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, if exploited, this vulnerability could result in violations of these standards due to failure to adequately protect sensitive data from unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart