CVE-2026-55863: motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution

June 23, 2026

The ActionHandler.post() method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts (PTZ controls, alarm triggers, etc.).

References

github.com/advisories/GHSA-j67x-q29f-qcvv
github.com/motioneye-project/motioneye/security/advisories/GHSA-j67x-q29f-qcvv
nvd.nist.gov/vuln/detail/CVE-2026-55863

Code Behaviors & Features

Detect and mitigate CVE-2026-55863 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →