GHSA-phv5-334h-mxcw: motionEye Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal

Myself and others have reported several RCE vulnerabilities to this project. However, due to the nature of the app, these are largely not of all that much value, as there is built-in functionality to run commands upon certain actions — i.e. RCE is by design.

With that in mind, I endeavored to find some sort of auth bypass, and was slightly successful.

When the admin password is set but the normal (surveillance) user password is left empty (the default), an unauthenticated attacker can exploit a path traversal vulnerability to read the motionEye configuration file from disk. This file contains the admin password as a SHA-1 hash, and that hash is accepted directly as a signing key for admin API requests — no cracking required. The result is full admin access from zero credentials.

This is a realistic scenario: many installations set an admin password to protect the settings UI but leave the normal user password empty so household members can view camera feeds without logging in.