HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50108Published Modified CNA icscert

CVE-2026-50108: Naxclow IoT Platform Missing Authorization

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authorization in the Naxclow IoT Platform API allows an unauthenticated network attacker who can produce a platform-valid request signature to retrieve persistent relay credentials for any registered device. No authentication tied to device ownership or user identity is checked before the API returns these credentials. Successful exploitation lets the attacker register on the relay as an arbitrary device, intercepting and disrupting that device's communications. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-50108 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including ICS-CERT, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Naxclow platform components.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.7 (HIGH), weighted against each customer environment's compliance policy to reflect business context; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published by Naxclow, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API is exposed over the network, so an attacker must be able to send HTTP requests to the Naxclow platform endpoint.

  • AuthenticationNot required

    No account or ownership credential is required; any actor who can produce a platform-valid request signature can reach the vulnerable endpoint.

  • Victim interactionNot required

    The attack targets the platform API directly and does not require any action from a device owner or user.

  • Attack complexityDetail

    The exploit is reliable and condition-free once a valid platform request signature is obtained; no race condition or special environmental state is needed.

Blast Radius

  • Reads persistent relay credentials (such as long-lived tokens or pre-shared keys) for any device registered on the Naxclow platform.
  • Uses harvested credentials to register on the relay as the targeted device, positioning the attacker to intercept communications between the device and its backend.
  • Disrupts normal device operation by displacing the legitimate device registration, causing the real device to lose its relay connection.
  • Affects all listed Naxclow hardware lines (Smart Doorbell X3, X Smart Home, V720, ix cam), so a single credential-harvesting session can span multiple device types within one platform deployment.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the ICS-CERT advisory for CVE-2026-50108 is active, with the ingest pipeline re-checking for a published fix on every cycle. Because no upstream patch exists yet, customers running container images that embed or integrate Naxclow platform components are encouraged to apply compensating controls: restrict network access to the affected API endpoint using Kubernetes NetworkPolicy or equivalent egress filtering so only trusted services can reach it; consider feature-flag gating or API-gateway authorization rules that enforce device-ownership checks in front of the vulnerable endpoint as a short-term mitigation. Where compliance policy permits, HarborGuard will automatically trigger a patched-image rebuild, regression-test run, and a PR opened against affected workloads as soon as Naxclow publishes a fix version, with no manual steps required for environments that have auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Naxclow / Smart Doorbell X3
    All
  • Naxclow / X Smart Home
    All
  • Naxclow / V720
    All
  • Naxclow / ix cam
    All
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References