{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-50101: Naxclow IoT Platform Not using password aging","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-50101","status":"final","version":"1","initial_release_date":"2026-06-12T18:07:37.195Z","current_release_date":"2026-06-12T19:01:57.435Z","revision_history":[{"date":"2026-06-12T18:07:37.195Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-50101 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-50101"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-50101"},{"category":"external","summary":"cisa.gov","url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02"},{"category":"external","summary":"github.com","url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"Smart Doorbell X3","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow Smart Doorbell X3 All","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:smart_doorbell_x3:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"X Smart Home","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow X Smart Home All","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:x_smart_home:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"V720","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow V720 All","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:v720:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"ix cam","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow ix cam All","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:ix_cam:all:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-50101","title":"Naxclow IoT Platform Not using password aging","notes":[{"category":"description","text":"Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}