motionEye (mEye) is a video surveillance interface that, before version 0.44.0, sets the main configuration file (/etc/motioneye/motion.conf) and per-camera configuration files (camera-*.conf) with 644 permissions, making them readable by all local users. These files contain sensitive information including the SHA1 hashed admin password and camera credentials. The exposed admin password hash can be cracked offline to recover the plaintext password. This password can then be used to forge authenticated admin API requests due to a signature authentication weakness (GHSA-45h7-499j-7ww3). Furthermore, this can be chained with an OS command injection vulnerability (CVE-2025-60787) to escalate a local unprivileged user to the Motion daemon user, often root, enabling full system compromise. The vulnerability is addressed in motionEye version 0.44.0.

Local users on affected systems can read sensitive configuration files containing the admin password hash and camera credentials. The exposed SHA1 hash can be cracked offline to obtain the plaintext admin password. Attackers can leverage this password to bypass authentication mechanisms and, combined with other vulnerabilities, escalate privileges to root, leading to full system compromise. The CVSS 3.1 base score is 5.5 (medium severity), reflecting the local attack vector and the potential confidentiality impact without direct integrity or availability impact.

This vulnerability is fixed in motionEye version 0.44.0. Users should upgrade to version 0.44.0 or later to ensure configuration files have correct permissions and sensitive data is protected. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the version fix stated in the description.