CVE-2026-50244
published 2026-06-12CVE-2026-50244: The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.22%
12.6th percentile
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naxclow | ix_cam | — | — |
| naxclow | smart_doorbell_x3 | — | — |
| naxclow | v720 | — | — |
| naxclow | x_smart_home | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Registration Endpoint authorization (icsa-26-162-02 / EUVD-2026-36533)
vuldb·2026-06-12·CVSS 5.3
CVE-2026-50244 [MEDIUM] Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Registration Endpoint authorization (icsa-26-162-02 / EUVD-2026-36533)
A vulnerability classified as problematic was found in Naxclow Smart Doorbell X3, X Smart Home, V720 and ix cam. The affected element is an unknown function of the component Registration Endpoint. Such manipulation leads to missing authorization.
This vulnerability is documented as CVE-2026-50244. The attack can be executed remotely. There is not any exploit available.
GHSA
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relati
ghsa_unreviewed·2026-06-12
CVE-2026-50244 [MEDIUM] CWE-862 The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relati
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published