FKIE_CVE-2026-28806

Vulnerability from fkie_nvd - Published: 2026-03-10 22:16 - Updated: 2026-03-11 13:52
Severity ?
9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
References
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de autorizaci\u00f3n indebida en nerves-hub nerves_hub_web permite el control de dispositivos entre organizaciones a trav\u00e9s de acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos.\n\nLa falta de comprobaciones de autorizaci\u00f3n en los puntos finales de las acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos permite a los usuarios autenticados dirigir dispositivos que pertenecen a otras organizaciones y realizar acciones fuera de su nivel de privilegio.\n\nUn atacante puede seleccionar dispositivos fuera de su organizaci\u00f3n manipulando los identificadores de los dispositivos y realizar acciones de gesti\u00f3n sobre ellos, como moverlos a productos que controlan. Esto puede permitir a los atacantes interferir con las actualizaciones de firmware, acceder a la funcionalidad del dispositivo expuesta por la plataforma o interrumpir la conectividad del dispositivo.\n\nEn entornos donde caracter\u00edsticas adicionales como el acceso a la consola remota est\u00e1n habilitadas, esto podr\u00eda llevar a un compromiso total de los dispositivos afectados.\n\nEste problema afecta a nerves_hub_web: desde la versi\u00f3n 1.0.0 anterior a la 2.4.0."
    }
  ],
  "id": "CVE-2026-28806",
  "lastModified": "2026-03-11T13:52:47.683",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T22:16:18.420",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        },
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.