Detections
Analytics

CVE-2026-28806

critical

Description

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

References

https://osv.dev/vulnerability/EEF-CVE-2026-28806

https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx

https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c

https://cna.erlef.org/cves/CVE-2026-28806.html

Details

Source: Mitre, NVD

Published: 2026-03-10

Updated: 2026-04-06

Risk Information

CVSS v2

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 9.4

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Severity: Critical

EPSS

EPSS: 0.00038