CVE-2026-50101 CRITICAL

CVE-2026-50101: Naxclow IoT Platform Not using password aging

Vendor Naxclow
Product Smart Doorbell X3
Weakness CWE-262
Published June 12, 2026
Last update June 12, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated