CVE-2026-31978: motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

June 22, 2026

motionEye v0.43.1 (latest stable) is vulnerable to path traversal in the picture and movie API endpoints, like /picture/{id}/preview/{filename}. Neither the API handlers, nor the mediafiles.py functions like get_media_preview() check for .. sequences in the filename parameter, except get_media_content() which does. This allows an authenticated user with normal (non-admin) privileges to read arbitrary files from the filesystem as the motionEye process user.

References

github.com/advisories/GHSA-g9fx-5r4h-pcw3
github.com/motioneye-project/motioneye/security/advisories/GHSA-g9fx-5r4h-pcw3
nvd.nist.gov/vuln/detail/CVE-2026-31978

Code Behaviors & Features

Detect and mitigate CVE-2026-31978 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →