CVE-2026-28806

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c
https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-10 22:16

Updated : 2026-03-11 13:52

NVD link : CVE-2026-28806

Mitre link : CVE-2026-28806

CVE.ORG link : CVE-2026-28806

JSON object : View

Products Affected

No product.

CWE

CWE-285

Improper Authorization

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2026-28806", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T22:16:18.420", "references": [{"url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}, {"url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n indebida en nerves-hub nerves_hub_web permite el control de dispositivos entre organizaciones a trav\u00e9s de acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos.\n\nLa falta de comprobaciones de autorizaci\u00f3n en los puntos finales de las acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos permite a los usuarios autenticados dirigir dispositivos que pertenecen a otras organizaciones y realizar acciones fuera de su nivel de privilegio.\n\nUn atacante puede seleccionar dispositivos fuera de su organizaci\u00f3n manipulando los identificadores de los dispositivos y realizar acciones de gesti\u00f3n sobre ellos, como moverlos a productos que controlan. Esto puede permitir a los atacantes interferir con las actualizaciones de firmware, acceder a la funcionalidad del dispositivo expuesta por la plataforma o interrumpir la conectividad del dispositivo.\n\nEn entornos donde caracter\u00edsticas adicionales como el acceso a la consola remota est\u00e1n habilitadas, esto podr\u00eda llevar a un compromiso total de los dispositivos afectados.\n\nEste problema afecta a nerves_hub_web: desde la versi\u00f3n 1.0.0 anterior a la 2.4.0."}], "lastModified": "2026-03-11T13:52:47.683", "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"}