CVE-2026-33268

MEDIUM 6.5

Nanoleaf Lines unauthenticated firmware file store

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.

CWE	CWE-400
Vendor	nanoleaf
Product	lines
Published	Mar 25, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for nanoleaf lines

Be the first to know when new medium vulnerabilities affecting nanoleaf lines are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Affected Versions

Nanoleaf / Lines

12.3.2 < 12.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cve.org: https://www.cve.org/CVERecord?id=CVE-2026-33268 raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json support.nanoleaf.me: https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026

Credits

Souvik Kandar