CVE-2026-33268

MEDIUM

Nanoleaf Lines unauthenticated firmware file store

Title source: cna

Description

Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.

References (3)

https://www.cve.org/CVERecord?id=CVE-2026-33268

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json

[Vendor Advisory] https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 25.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

Nanoleaf/Lines 12.3.2 - 12.3.6

Nanoleaf/Lines 12.3.6

Published Mar 25, 2026

Tracked Since Mar 25, 2026