CVE-2022-25568
Description
MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MotionEye v0.42.1 and below exposes sensitive configuration via /config/list if no regular user password is set.
Vulnerability
MotionEye versions 0.42.1 and earlier expose a configuration information disclosure vulnerability through the /config/list endpoint. An unauthenticated GET request to this path returns the full application configuration, including sensitive data such as passwords, API keys, email credentials, and internal network details. The vulnerable code path is reachable when no regular user password has been configured, even if an admin password is set [1][4].
Exploitation
An attacker can exploit this vulnerability by sending a simple GET request to /config/list without any authentication. The attack requires no special privileges or user interaction. The only precondition is that the MotionEye instance does not have a regular user password configured; setting only an admin password does not prevent the disclosure [1][4].
Impact
Successful exploitation results in unauthorized disclosure of the full MotionEye configuration file. This typically exposes plaintext passwords, SMTP credentials, cloud storage tokens (e.g., Gmail, GDrive, FTP, SFTP), API keys, and internal IP addresses. The attacker gains sensitive information that can be used for further compromise, credential stuffing, or network reconnaissance. The impact is considered high because it bypasses intended authentication controls [4].
Mitigation
As of the available references, no official patched version has been released. The project maintainer closed the initial issue without a fix, and while a pull request was submitted, it has not been merged or tested [4]. Users are advised to set a regular user password to block access to the /config/list endpoint. Alternatively, restricting network access to the MotionEye web interface or placing it behind a reverse proxy with authentication can reduce exposure. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
motioneyePyPI | < 0.43.1b1 | 0.43.1b1 |
Affected products
2- MotionEye/MotionEyedescription
Patches
1c60b64af5bb8Bug Fix for Issue 2292
1 file changed · +1 −1
motioneye/handlers/config.py+1 −1 modified@@ -368,7 +368,7 @@ def _handle_get_config_response(self, camera_id, local_config, resp: utils.GetCo finished = self.check_finished(cameras, length) return - @BaseHandler.auth() + @BaseHandler.auth(admin=True) async def list(self): logging.debug('listing cameras')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-2c7w-v459-cwgfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25568ghsaADVISORY
- github.com/ccrisan/motioneye/issues/2292ghsax_refsource_MISCWEB
- github.com/motioneye-project/motioneye/commit/c60b64af5bb8c09189071522a1f6796cb44340b0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/motioneye/PYSEC-2022-43141.yamlghsaWEB
- www.pizzapower.me/2022/02/17/motioneye-config-info-disclosureghsaWEB
- www.pizzapower.me/2022/02/17/motioneye-config-info-disclosure/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.