Description
Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.
References (3)
Core 3
Core References
url
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json
Vendor Advisory release-notes
vendor-advisory
url
https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
25.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
Nanoleaf/Lines
12.3.2 - 12.3.6
Nanoleaf/Lines
12.3.6
Published
Mar 25, 2026
Tracked Since
Mar 25, 2026