CVE-2026-50108
published 2026-06-12CVE-2026-50108: The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.31%
22.2th percentile
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naxclow | ix_cam | — | — |
| naxclow | smart_doorbell_x3 | — | — |
| naxclow | v720 | — | — |
| naxclow | x_smart_home | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Naxclow Platform API authorization (icsa-26-162-02 / EUVD-2026-36529)
vuldb·2026-06-12·CVSS 7.5
CVE-2026-50108 [HIGH] Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Naxclow Platform API authorization (icsa-26-162-02 / EUVD-2026-36529)
A vulnerability identified as problematic has been detected in Naxclow Smart Doorbell X3, X Smart Home, V720 and ix cam. This impacts an unknown function of the component Naxclow Platform API. This manipulation causes missing authorization.
This vulnerability is tracked as CVE-2026-50108. The attack is possible to be carried out remotely. No exploit exists.
GHSA
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner.
ghsa_unreviewed·2026-06-12
CVE-2026-50108 [HIGH] CWE-862 The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner.
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published