CVE-2026-46488: motionEye: Authentication possible via password hash

June 22, 2026

An authentication bypass vulnerability exists due to improper trust in client-controlled cookies. The application accepts user-supplied cookie values containing a username and password-hash-derived value as sufficient authentication material. These cookies can be set or modified prior to login, allowing an unauthenticated attacker to impersonate arbitrary users without knowledge of the plaintext password. This issue stems from the absence of server-side validation of authentication state and reliance on attacker-controlled cookie data

References

github.com/advisories/GHSA-r3cw-c95m-wfh9
github.com/motioneye-project/motioneye/security/advisories/GHSA-r3cw-c95m-wfh9
nvd.nist.gov/vuln/detail/CVE-2026-46488

Code Behaviors & Features

Detect and mitigate CVE-2026-46488 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →