CVE-2026-50108

Summary

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.

Affected Software

VendorProductVersion RangeStatus
NaxclowSmart Doorbell X3Allaffected
NaxclowX Smart HomeAllaffected
NaxclowV720Allaffected
Naxclowix camAllaffected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References