PatchSiren cyber security CVE debrief
CVE-2026-50244 Naxclow CVE debrief
The Naxclow platform has a vulnerability, tracked as CVE-2026-50244, which exposes a registration endpoint that accepts signed requests with a batch prefix and an arbitrary caller-supplied account identifier. This endpoint does not validate any ownership relationship, allowing callers to measure and enumerate the active device space by minting new sequential device identifiers and retrieving the current high-water counter value for the batch. This behavior enables precise fleet enumeration.
- Vendor
- Naxclow
- Product
- Smart Doorbell X3
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Organizations using the Naxclow platform should be aware of this vulnerability, as it could allow attackers to enumerate their device fleets.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as medium severity. It can be exploited over the network with low attack complexity and no privileges required.
Defensive priority
High
Recommended defensive actions
- Review and update configurations to restrict access to the registration endpoint.
- Implement proper validation of ownership relationships for account identifiers.
- Monitor for suspicious activity related to device enumeration.
Evidence notes
The CVE record and details can be found at [cve-org]. Additional information is available from [nvd].
Official resources
CVE-2026-50244 was published on 2026-06-12T19:16:29.773Z and has not been modified since.