Naxclow IoT Platform Missing Authorization
CVE-2026-50244

6.9MEDIUM

Key Information:

Vendor: Naxclow
Status: Smart Doorbell X3; X Smart Home; V720; Ix Cam
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50244?

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.

Affected Version(s)

ix cam All

Smart Doorbell X3 All

V720 All

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Temuri Takalandze reported this vulnerability to CISA.

CVE-2026-50244 Data

JSON