{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33268", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-18T15:41:17.786Z", "datePublished": "2026-03-25T14:21:30.534Z", "dateUpdated": "2026-03-25T15:53:45.320Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6."}], "affected": [{"vendor": "Nanoleaf", "product": "Lines", "defaultStatus": "unknown", "versions": [{"version": "12.3.2", "status": "affected", "lessThan": "12.3.6", "versionType": "custom"}, {"version": "12.3.6", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE", "cweId": "CWE-400"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T17:53:43.635243Z", "id": "CVE-2026-33268", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "Nanoleaf Lines unauthenticated firmware file store", "references": [{"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33268"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json"}, {"name": "url", "url": "https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026", "tags": ["release-notes", "vendor-advisory"]}], "credits": [{"value": "Souvik Kandar", "lang": "en"}], "datePublic": "2026-03-25T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-25T15:53:45.320Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:50:46.155222Z", "id": "CVE-2026-33268", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:50:54.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:50:46.155222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:50:50.928Z"}}], "cna": {"title": "Nanoleaf Lines unauthenticated firmware file store", "credits": [{"lang": "en", "value": "Souvik Kandar"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T17:53:43.635243Z"}}}], "affected": [{"vendor": "Nanoleaf", "product": "Lines", "versions": [{"status": "affected", "version": "12.3.2", "lessThan": "12.3.6", "versionType": "custom"}, {"status": "unaffected", "version": "12.3.6"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-25T00:00:00.000Z", "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2026-33268", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json", "name": "url"}, {"url": "https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026", "name": "url", "tags": ["release-notes", "vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-25T15:53:45.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33268", "state": "PUBLISHED", "dateUpdated": "2026-03-25T15:53:45.320Z", "dateReserved": "2026-03-18T15:41:17.786Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-25T14:21:30.534Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6."}], "id": "CVE-2026-33268", "lastModified": "2026-03-25T16:16:21.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-25T15:16:48.280", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33268"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.3.2,12.3.6)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.3.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Lines", "source": "cna", "vendor": "Nanoleaf"}, "product": "lines", "vendor": "nanoleaf"}], "analysis": {"en": {"generated_at": "2026-03-25T15:20:36.245297+00:00", "value": {"mitigation_remediation": ["Upgrade Nanoleaf Lines firmware to version 12.3.6 or later."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Storage Exhaustion"}, "threat_synthesis": {"affected_systems": "The affected product is Nanoleaf Lines, specifically shipping firmware version 12.3.2 (and any intermediate releases up to 12.3.5). All devices running these firmware versions that allow firmware uploads are vulnerable. The issue is resolved in firmware 12.3.6.", "description_and_impact": "The vulnerability lies in the firmware upload functionality of Nanoleaf Lines 12.3.2, which does not authenticate incoming firmware files. An attacker can remotely upload arbitrary firmware, forcing the device to write data to storage until capacity is exhausted. This leads to a denial of service by exhausting available storage and potentially rendering the device inoperable. The weakness corresponds to CWE-400: Uncontrolled Resource Consumption.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity vulnerability. No EPSS score is available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The description confirms that an unauthenticated attacker can remotely exploit the flaw by uploading firmware, which suggests that the attack vector is network-based and requires no local privileges. While the impact is limited to resource exhaustion, repeated exploitation could disrupt the device's normal operation."}}}}, "created": "2026-03-25T21:31:07.701572+00:00", "updated": "2026-03-26T11:43:04.706484+00:00", "vendors": ["nanoleaf", "nanoleaf$PRODUCT$lines"]}