What is the severity of CVE-2026-55488?

CVE-2026-55488 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-55488?

No known public exploits are currently available for CVE-2026-55488.

Is there a patch available for CVE-2026-55488?

Yes, patches are available for CVE-2026-55488. Check the vendor advisories for update instructions.

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.

The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join(). When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks.

As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process.

Details

The issue exists in the media playback and download functionality.

The filename parameter is passed to mediafiles.get_media_path():

def get_media_path(camera_config, path, media_type):
    target_dir = camera_config.get('target_dir')
    full_path = os.path.join(target_dir, path)
    return full_path

When path is an absolute path (e.g. /etc/motioneye/motion.conf), Python's os.path.join() discards target_dir entirely and returns the absolute path as-is. This would normally be caught by Tornado's StaticFileHandler path validation, but MoviePlaybackHandler explicitly overrides both safety checks (movie_playback.py lines 111-115):

def get_absolute_path(self, root, path):
    return path

def validate_absolute_path(self, root, absolute_path):
    return absolute_path

This allows reading any file on the filesystem that the motionEye process can access.

The same path traversal exists in the movie download, picture download, and picture preview handlers:

GET /movie/<camera_id>/download/<filename>
GET /picture/<camera_id>/download/<filename>
GET /picture/<camera_id>/preview/<filename>

PoC

GET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1
Host: target:8765

Fix

Do not allow absolute paths supplied by user input.

Validate that the fully resolved canonical path remains within the configured camera media directory before serving a file.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-55488

Summary

Details

PoC

Fix