CVE-2026-28806 (GCVE-0-2026-28806)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:30 – Updated: 2026-03-12 03:58
VLAI?
Title
Improper authorization in device bulk actions and device update API allows cross-organization device control
Summary
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.
Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.
An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.
In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.
This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
Severity ?
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| nerves-hub | nerves_hub_web |
Affected:
1.0.0 , < 2.4.0
(semver)
Affected: pkg:otp/nerves_hub@1.0.0 , < pkg:otp/nerves_hub@2.4.0 (purl) cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:* |
||||||||||||
|
||||||||||||||
Credits
Josh Kalderimis / NervesHub team & NervesCloud
Jonatan Männchen / EEF
Lars Wikman / NervesHub team & NervesCloud
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T14:36:05.863739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:36:23.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves_hub",
"packageURL": "pkg:otp/nerves_hub?repository_url=https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web.git",
"product": "nerves_hub_web",
"repo": "https://github.com/nerves-hub/nerves_hub_web",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThan": "pkg:otp/nerves_hub@2.4.0",
"status": "affected",
"version": "pkg:otp/nerves_hub@1.0.0",
"versionType": "purl"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves-hub/nerves-hub",
"packageURL": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub",
"product": "nerves_hub_web",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThan": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub\u0026tag=2.4.0",
"status": "affected",
"version": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub\u0026tag=1.0.0",
"versionType": "purl"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "nerves-hub/nerves_hub_web",
"packageURL": "pkg:github/nerves-hub/nerves_hub_web",
"product": "nerves_hub_web",
"repo": "https://github.com/nerves-hub/nerves_hub_web.git",
"vendor": "nerves-hub",
"versions": [
{
"lessThan": "1f69c9d595684a4650c3ac702f3dc7c5bcd7526c",
"status": "affected",
"version": "adaeefdb7a835525482588f43332ef988cc448c7",
"versionType": "git"
},
{
"lessThan": "pkg:github/nerves-hub/nerves_hub_web@1f69c9d595684a4650c3ac702f3dc7c5bcd7526c",
"status": "affected",
"version": "pkg:github/nerves-hub/nerves_hub_web@adaeefdb7a835525482588f43332ef988cc448c7",
"versionType": "purl"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Josh Kalderimis / NervesHub team \u0026 NervesCloud"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Lars Wikman / NervesHub team \u0026 NervesCloud"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\u003cp\u003eMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\u003c/p\u003e\u003cp\u003eAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\u003c/p\u003e\u003cp\u003eIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\u003c/p\u003e\u003cp\u003eThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.\u003c/p\u003e"
}
],
"value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668 Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T03:58:38.764Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx"
},
{
"tags": [
"patch"
],
"url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper authorization in device bulk actions and device update API allows cross-organization device control",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-28806",
"datePublished": "2026-03-10T21:30:58.581Z",
"dateReserved": "2026-03-03T14:40:00.589Z",
"dateUpdated": "2026-03-12T03:58:38.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28806\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-03-10T22:16:18.420\",\"lastModified\":\"2026-03-11T13:52:47.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\\n\\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\\n\\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\\n\\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\\n\\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de autorizaci\u00f3n indebida en nerves-hub nerves_hub_web permite el control de dispositivos entre organizaciones a trav\u00e9s de acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos.\\n\\nLa falta de comprobaciones de autorizaci\u00f3n en los puntos finales de las acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos permite a los usuarios autenticados dirigir dispositivos que pertenecen a otras organizaciones y realizar acciones fuera de su nivel de privilegio.\\n\\nUn atacante puede seleccionar dispositivos fuera de su organizaci\u00f3n manipulando los identificadores de los dispositivos y realizar acciones de gesti\u00f3n sobre ellos, como moverlos a productos que controlan. Esto puede permitir a los atacantes interferir con las actualizaciones de firmware, acceder a la funcionalidad del dispositivo expuesta por la plataforma o interrumpir la conectividad del dispositivo.\\n\\nEn entornos donde caracter\u00edsticas adicionales como el acceso a la consola remota est\u00e1n habilitadas, esto podr\u00eda llevar a un compromiso total de los dispositivos afectados.\\n\\nEste problema afecta a nerves_hub_web: desde la versi\u00f3n 1.0.0 anterior a la 2.4.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"},{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"references\":[{\"url\":\"https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"},{\"url\":\"https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28806\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T14:36:05.863739Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T14:36:15.921Z\"}}], \"cna\": {\"title\": \"Improper authorization in device bulk actions and device update API allows cross-organization device control\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Josh Kalderimis / NervesHub team \u0026 NervesCloud\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Jonatan M\\u00e4nnchen / EEF\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Lars Wikman / NervesHub team \u0026 NervesCloud\"}], \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/nerves-hub/nerves_hub_web\", \"vendor\": \"nerves-hub\", \"product\": \"nerves_hub_web\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"2.4.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"pkg:otp/nerves_hub@1.0.0\", \"lessThan\": \"pkg:otp/nerves_hub@2.4.0\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:otp/nerves_hub?repository_url=https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web.git\", \"packageName\": \"nerves_hub\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*\"], \"vendor\": \"nerves-hub\", \"product\": \"nerves_hub_web\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"2.4.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub\u0026tag=1.0.0\", \"lessThan\": \"pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub\u0026tag=2.4.0\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub\", \"packageName\": \"nerves-hub/nerves-hub\", \"collectionURL\": \"https://ghcr.io\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/nerves-hub/nerves_hub_web.git\", \"vendor\": \"nerves-hub\", \"product\": \"nerves_hub_web\", \"versions\": [{\"status\": \"affected\", \"version\": \"adaeefdb7a835525482588f43332ef988cc448c7\", \"lessThan\": \"1f69c9d595684a4650c3ac702f3dc7c5bcd7526c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"pkg:github/nerves-hub/nerves_hub_web@adaeefdb7a835525482588f43332ef988cc448c7\", \"lessThan\": \"pkg:github/nerves-hub/nerves_hub_web@1f69c9d595684a4650c3ac702f3dc7c5bcd7526c\", \"versionType\": \"purl\"}], \"packageURL\": \"pkg:github/nerves-hub/nerves_hub_web\", \"packageName\": \"nerves-hub/nerves_hub_web\", \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\\n\\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\\n\\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\\n\\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\\n\\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\u003cp\u003eMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\u003c/p\u003e\u003cp\u003eAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\u003c/p\u003e\u003cp\u003eIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\u003c/p\u003e\u003cp\u003eThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285 Improper Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-668\", \"description\": \"CWE-668 Exposure of Resource to Wrong Sphere\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.4.0\", \"versionStartIncluding\": \"1.0.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-03-12T03:58:38.764Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28806\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T03:58:38.764Z\", \"dateReserved\": \"2026-03-03T14:40:00.589Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-03-10T21:30:58.581Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…