CVE-2026-28806: CWE-285 Improper Authorization in nerves-hub nerves_hub_web
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
AI Analysis
Technical Summary
This vulnerability in nerves_hub_web arises from missing authorization checks in device bulk actions and device update API endpoints. Authenticated users can exploit this by selecting and managing devices belonging to other organizations, performing unauthorized actions such as reassigning devices to different products. The flaw enables cross-organization device control, potentially impacting device management, firmware updates, and connectivity. The issue affects versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
Exploitation allows attackers with authenticated access to control devices outside their organization, potentially disrupting device operations, interfering with firmware updates, and accessing device functionality. If remote console access is enabled, attackers may achieve full device compromise. This represents a critical security risk to device integrity and operational continuity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch links or official fixes are provided, users should monitor the vendor's communications for updates. Until a fix is available, restrict authenticated user privileges carefully and avoid enabling additional features like remote console access that increase risk.
CVE-2026-28806: CWE-285 Improper Authorization in nerves-hub nerves_hub_web
Description
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in nerves_hub_web arises from missing authorization checks in device bulk actions and device update API endpoints. Authenticated users can exploit this by selecting and managing devices belonging to other organizations, performing unauthorized actions such as reassigning devices to different products. The flaw enables cross-organization device control, potentially impacting device management, firmware updates, and connectivity. The issue affects versions from 1.0.0 up to but not including 2.4.0.
Potential Impact
Exploitation allows attackers with authenticated access to control devices outside their organization, potentially disrupting device operations, interfering with firmware updates, and accessing device functionality. If remote console access is enabled, attackers may achieve full device compromise. This represents a critical security risk to device integrity and operational continuity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch links or official fixes are provided, users should monitor the vendor's communications for updates. Until a fix is available, restrict authenticated user privileges carefully and avoid enabling additional features like remote console access that increase risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-03T14:40:00.589Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b090d12f860ef943c885b5
Added to database: 3/10/2026, 9:44:49 PM
Last enriched: 4/7/2026, 5:46:42 AM
Last updated: 4/24/2026, 11:46:47 AM
Views: 94
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.