CVE-2026-28806: CWE-285 Improper Authorization in nerves-hub nerves_hub_web
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
AI Analysis
Technical Summary
The vulnerability CVE-2026-28806 in nerves_hub_web arises from missing authorization checks in device bulk actions and device update API endpoints. Authenticated users can manipulate device identifiers to target and control devices belonging to other organizations, performing management actions beyond their privileges. This improper authorization (CWE-285) and potential for unauthorized access to device functionality (CWE-668) can disrupt device operations and, with additional features like remote console access, may lead to full device compromise. The issue affects nerves_hub_web versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
Exploitation allows attackers with authenticated access to control devices outside their organization, potentially interfering with firmware updates, accessing device features, and disrupting device connectivity. In setups with remote console access enabled, attackers could fully compromise affected devices. This poses a significant risk to device integrity and availability across organizations using vulnerable versions of nerves_hub_web.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict authenticated user permissions to trusted personnel only and monitor for unusual device management activities. Avoid enabling additional features such as remote console access unless necessary and ensure strict access controls are in place. Follow vendor communications closely for updates on patches or official mitigations.
CVE-2026-28806: CWE-285 Improper Authorization in nerves-hub nerves_hub_web
Description
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
CVSS v4.0
Score 9.4critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-28806 in nerves_hub_web arises from missing authorization checks in device bulk actions and device update API endpoints. Authenticated users can manipulate device identifiers to target and control devices belonging to other organizations, performing management actions beyond their privileges. This improper authorization (CWE-285) and potential for unauthorized access to device functionality (CWE-668) can disrupt device operations and, with additional features like remote console access, may lead to full device compromise. The issue affects nerves_hub_web versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
Exploitation allows attackers with authenticated access to control devices outside their organization, potentially interfering with firmware updates, accessing device features, and disrupting device connectivity. In setups with remote console access enabled, attackers could fully compromise affected devices. This poses a significant risk to device integrity and availability across organizations using vulnerable versions of nerves_hub_web.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict authenticated user permissions to trusted personnel only and monitor for unusual device management activities. Avoid enabling additional features such as remote console access unless necessary and ensure strict access controls are in place. Follow vendor communications closely for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.589Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b090d12f860ef943c885b5
Added to database: 3/10/2026, 9:44:49 PM
Last enriched: 5/27/2026, 8:04:45 PM
Last updated: 6/8/2026, 9:16:35 PM
Views: 150
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.