GHSA-hrr2-8g8j-2h2hHighCVSS 8.8

A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then...

Published
June 12, 2026
Last Modified
June 12, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.

🔗 References (4)