anonhaven
Ad

CVE-2026-28806

CRITICAL CVSS 4.0: 9.4 EPSS 0.04%
Updated Mar 10, 2026
Parameter Value
CVSS 9.4 (CRITICAL)
Affected Versions before 2.4.0.
Type CWE-668 (Exposure of Resource to Wrong Sphere), CWE-285 (Improper Authorization)
Public PoC No

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control.

This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-668 Exposure of Resource to Wrong Sphere
CWE-285 Improper Authorization

References 2

https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3…
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc…
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Share Post Share Share Share