CVE-2026-50108 HIGH

CVE-2026-50108: Naxclow IoT Platform Missing Authorization

Vendor Naxclow
Product Smart Doorbell X3
Weakness CWE-862 · Missing authorization
Published June 12, 2026
Last update June 12, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-1945 ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion CVE-2025-12961 Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification CVE-2023-36526 WordPress Duplicate Post Page Menu & Custom Post Type plugin <= 2.4.1 - Broken Access Control vulnerability CVE-2025-13314 Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification CVE-2026-4331 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action