CVE-2026-50244
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space.
Risk Assessment
The lack of ownership relationship validation poses a risk that unauthorized users may enumerate active devices in the system, potentially leading to further attacks or abuses.
Recommendation
It is recommended to implement ownership relationship validation for account identifiers at the registration endpoint and restrict access to this endpoint only to authorized users.
Original NVD description (English source)
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.

