GHSA-j67x-q29f-qcvv
motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution
Details
## Summary
The `ActionHandler.post()` method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts (PTZ controls, alarm triggers, etc.).
## Vulnerability Details
**File**: `motioneye/handlers/action.py` — `ActionHandler.post()` line 36 **CWE**: CWE-862 — Missing Authorization **CVSS**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N = 5.3 Medium
### Vulnerable Code
```python class ActionHandler(BaseHandler): async def post(self, camera_id, action): # ← NO @BaseHandler.auth() decorator camera_id = int(camera_id) if camera_id not in config.get_camera_ids(): raise HTTPError(404, 'no such camera') ... if action == 'snapshot': await self.snapshot(camera_id) # executed without auth return elif action == 'record_start': return self.record_start(camera_id) elif action == 'record_stop': return self.record_stop(camera_id)
action_commands = config.get_action_commands(local_config) command = action_commands.get(action) ... self.run_command_bg(command) # executes predefined shell scripts ```
Compare with other handlers that correctly require authentication:
```python @BaseHandler.auth(admin=True) # ← properly protected async def delete(self, camera_id, filename): ... ```
## Steps to Reproduce
1. Deploy motionEye with at least one camera configured 2. Send unauthenticated POST:
``` POST /action/1/snapshot HTTP/1.1 Host: motioneye-host:8765 Content-Length: 0 ```
3. Observe `{}` (HTTP 200) response — snapshot triggered without any credentials
For action scripts (`lock`, `unlock`, `alarm_on`, `alarm_off`, `light_on`, etc.): ``` POST /action/1/alarm_on HTTP/1.1 Host: motioneye-host:8765 ```
## Impact
- Unauthenticated attacker can trigger camera snapshots on demand - Unauthenticated attacker can start/stop video recording - If action scripts are configured by admin: attacker can trigger PTZ movement, alarm control, lighting changes — physical security bypass - Via remote cameras: SSRF by triggering action on a remote motionEye server
## Verification
Dynamically confirmed on v0.43.1 in Docker lab — `POST /action/2/snapshot` with no credentials returns HTTP 200 `{}`. Server log shows the action was processed (failed only because motion daemon was not running for the test camera, not due to an auth rejection).
## Recommended Fix
```python class ActionHandler(BaseHandler): @BaseHandler.auth() # add authentication requirement async def post(self, camera_id, action): ... ```
Are you affected?
Enter the version of the package you're using.