CVE-2026-28806 is an improper authorization vulnerability (CWE-285) found in the nerves_hub_web component of the nerves-hub project, affecting versions from 1.0.0 up to but not including 2.4.0. The vulnerability arises due to missing authorization checks in the device bulk actions and device update API endpoints. Authenticated users with legitimate access to the platform can manipulate device identifiers to target devices outside their own organization. This allows them to perform unauthorized management actions such as moving devices to products they control, interfering with firmware updates, or disrupting device connectivity. The vulnerability also relates to CWE-668, which concerns exposure of resource access control. If additional features like remote console access are enabled, attackers could gain full control over affected devices, leading to complete device compromise. The flaw is remotely exploitable without user interaction and requires only low privileges, making it highly dangerous. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authenticated user, no user interaction, and high impact on confidentiality, integrity, and availability. This vulnerability affects organizations using nerves_hub_web for device management, especially those managing IoT or embedded devices across multiple organizations or tenants.

The impact of CVE-2026-28806 is significant for organizations relying on nerves_hub_web for managing fleets of devices, particularly in multi-tenant or multi-organization environments. Attackers can gain unauthorized control over devices belonging to other organizations, potentially disrupting critical device operations, interfering with firmware updates, or causing denial of service by disrupting connectivity. In scenarios where remote console access is enabled, attackers could fully compromise devices, leading to data theft, manipulation of device functionality, or use of devices as pivot points for further network intrusion. This undermines the confidentiality, integrity, and availability of managed devices and associated services. The vulnerability could impact industries deploying IoT devices at scale, such as manufacturing, smart infrastructure, healthcare, and logistics, where device integrity and availability are critical. The ability to move devices between products controlled by attackers could also facilitate supply chain attacks or persistent unauthorized access. Given the critical CVSS score and ease of exploitation, the threat poses a high risk to organizations worldwide using affected versions.

To mitigate CVE-2026-28806, organizations should immediately upgrade nerves_hub_web to version 2.4.0 or later where the authorization checks have been properly implemented. Until patching is possible, restrict access to the device bulk actions and device update APIs to trusted users only, employing network segmentation and strict access controls. Implement monitoring and alerting for unusual device management activities, such as bulk device moves or updates initiated by unexpected accounts. Review and tighten role-based access control (RBAC) policies to ensure users have the minimum necessary privileges. Disable or restrict remote console access features unless absolutely required and ensure they are protected by strong authentication and authorization mechanisms. Conduct thorough audits of device inventories and configurations to detect unauthorized changes. Employ anomaly detection on device management operations to identify potential exploitation attempts. Finally, maintain an incident response plan tailored to device compromise scenarios to quickly contain and remediate any breaches resulting from this vulnerability.