PT-2026-24471 · Unknown · Nerves-Hub Nerves Hub Web
Joshk
·
Published
2026-03-10
·
Updated
2026-05-27
·
CVE-2026-28806
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
nerves-hub nerves hub web versions 1.0.0 through 2.3.9
Description
An improper authorization issue exists in nerves-hub nerves hub web that allows cross-organization device control through device bulk actions and the device update API. Missing authorization checks in the device bulk actions and device update API endpoints permit authenticated users to target devices belonging to other organizations and perform actions beyond their authorized access level. An attacker can manipulate device identifiers to select devices outside of their organization and perform management actions, potentially interfering with firmware updates, accessing device functionality, or disrupting device connectivity. In environments with remote console access enabled, this could lead to full compromise of affected devices.
Recommendations
Update nerves-hub nerves hub web to version 2.4.0 or later.
Fix
Exposure of Resource to Wrong Sphere
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nerves-Hub Nerves Hub Web