PatchSiren cyber security CVE debrief
CVE-2026-50101 Naxclow CVE debrief
A critical vulnerability, CVE-2026-50101, has been identified in Naxclow devices. The issue arises from a server-side, per-device relay credential that is re-issued to the device on each boot and remains valid indefinitely. This allows any party that obtains the credential through any exposure path to maintain persistent access to the device's relay channel, enabling long-term impersonation or interception, even after factory resets or re-onboarding.
- Vendor
- Naxclow
- Product
- Smart Doorbell X3
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users and administrators of Naxclow devices should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. The CVSS vector is CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High
Recommended defensive actions
- Immediately review and update device configurations to ensure secure credential management.
- Implement additional security measures to prevent exposure of the relay credential.
- Regularly monitor device activity for suspicious behavior.
Evidence notes
The vulnerability is described in the CVE record [cve-org]. Additional information can be found in the NVD detail [nvd] and source references [ref-4], [ref-5].
Official resources
CVE-2026-50101 was published on 2026-06-12T19:16:29.487Z and has not been modified since then.