CVE-2026-32315: motionEye's World-Readable Configuration File Exposes Admin Password Hash

June 22, 2026

motionEye v0.43.1 and prior versions create the configuration file /etc/motioneye/motion.conf with 644 permissions (-rw-r--r--), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges.

References

github.com/advisories/GHSA-rhgp-6wq6-9j67
github.com/motioneye-project/motioneye/security/advisories/GHSA-rhgp-6wq6-9j67
nvd.nist.gov/vuln/detail/CVE-2026-32315

Code Behaviors & Features

Detect and mitigate CVE-2026-32315 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →