CVE Catalog

CVE-2026-50244

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space.

Risk Assessment

The lack of ownership relationship validation poses a risk that unauthorized users may enumerate active devices in the system, potentially leading to further attacks or abuses.

Recommendation

It is recommended to implement ownership relationship validation for account identifiers at the registration endpoint and restrict access to this endpoint only to authorized users.

Original NVD description (English source)

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS