PT-2026-24471 · Unknown · Nerves-Hub Nerves Hub Web
Joshk
·
Publicado
2026-03-10
·
Atualizado
2026-05-27
·
CVE-2026-28806
CVSS v4.0
9.4
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
nerves-hub nerves hub web versions 1.0.0 through 2.3.9
Description
An improper authorization issue exists in nerves-hub nerves hub web that allows cross-organization device control through device bulk actions and the device update API. Missing authorization checks in the device bulk actions and device update API endpoints permit authenticated users to target devices belonging to other organizations and perform actions beyond their authorized access level. An attacker can manipulate device identifiers to select devices outside of their organization and perform management actions, potentially interfering with firmware updates, accessing device functionality, or disrupting device connectivity. In environments with remote console access enabled, this could lead to full compromise of affected devices.
Recommendations
Update nerves-hub nerves hub web to version 2.4.0 or later.
Correção
Exposure of Resource to Wrong Sphere
Improper Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Nerves-Hub Nerves Hub Web