{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28806", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-03-03T14:40:00.589Z", "datePublished": "2026-03-10T21:30:58.581Z", "dateUpdated": "2026-05-27T15:41:33.000Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "nerves_hub", "packageURL": "pkg:otp/nerves_hub?repository_url=https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web&vcs_url=git%20https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web.git", "product": "nerves_hub_web", "repo": "https://github.com/nerves-hub/nerves_hub_web", "vendor": "nerves-hub", "versions": [{"lessThan": "2.4.0", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}, {"collectionURL": "https://ghcr.io", "cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "nerves-hub/nerves-hub", "packageURL": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub", "product": "nerves_hub_web", "vendor": "nerves-hub", "versions": [{"lessThan": "2.4.0", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "nerves-hub/nerves_hub_web", "packageURL": "pkg:github/nerves-hub/nerves_hub_web", "product": "nerves_hub_web", "repo": "https://github.com/nerves-hub/nerves_hub_web.git", "vendor": "nerves-hub", "versions": [{"lessThan": "1f69c9d595684a4650c3ac702f3dc7c5bcd7526c", "status": "affected", "version": "adaeefdb7a835525482588f43332ef988cc448c7", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Josh Kalderimis / NervesHub team & NervesCloud"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Lars Wikman / NervesHub team & NervesCloud"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.<p>Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.</p><p>An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.</p><p>In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.</p><p>This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.</p>"}], "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-668", "description": "CWE-668 Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-27T15:41:33.000Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-28806.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28806"}, {"tags": ["patch"], "url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c"}], "source": {"discovery": "INTERNAL"}, "title": "Improper authorization in device bulk actions and device update API allows cross-organization device control", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:36:05.863739Z", "id": "CVE-2026-28806", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:36:23.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T14:36:05.863739Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:36:15.921Z"}}], "cna": {"title": "Improper authorization in device bulk actions and device update API allows cross-organization device control", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Josh Kalderimis / NervesHub team & NervesCloud"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen / EEF"}, {"lang": "en", "type": "remediation reviewer", "value": "Lars Wikman / NervesHub team & NervesCloud"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "repo": "https://github.com/nerves-hub/nerves_hub_web", "vendor": "nerves-hub", "product": "nerves_hub_web", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.4.0", "versionType": "semver"}], "packageURL": "pkg:otp/nerves_hub?repository_url=https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web&vcs_url=git%20https:%2F%2Fgithub.com%2Fnerves-hub%2Fnerves_hub_web.git", "packageName": "nerves_hub", "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "vendor": "nerves-hub", "product": "nerves_hub_web", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.4.0", "versionType": "semver"}], "packageURL": "pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub", "packageName": "nerves-hub/nerves-hub", "collectionURL": "https://ghcr.io", "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*"], "repo": "https://github.com/nerves-hub/nerves_hub_web.git", "vendor": "nerves-hub", "product": "nerves_hub_web", "versions": [{"status": "affected", "version": "adaeefdb7a835525482588f43332ef988cc448c7", "lessThan": "1f69c9d595684a4650c3ac702f3dc7c5bcd7526c", "versionType": "git"}], "packageURL": "pkg:github/nerves-hub/nerves_hub_web", "packageName": "nerves-hub/nerves_hub_web", "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2026-28806.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2026-28806", "tags": ["related"]}, {"url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.<p>Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.</p><p>An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.</p><p>In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.</p><p>This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "CWE-668 Exposure of Resource to Wrong Sphere"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nerves-hub:nerves_hub_web:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.4.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-27T15:41:33.000Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28806", "state": "PUBLISHED", "dateUpdated": "2026-05-27T15:41:33.000Z", "dateReserved": "2026-03-03T14:40:00.589Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2026-03-10T21:30:58.581Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nerves-hub:nerveshub:*:*:*:*:*:*:*:*", "matchCriteriaId": "D982719F-4686-457F-AC3A-2589CA56652A", "versionEndExcluding": "2.4.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.\n\nMissing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.\n\nAn attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.\n\nIn environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.\n\nThis issue affects nerves_hub_web: from 1.0.0 before 2.4.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n indebida en nerves-hub nerves_hub_web permite el control de dispositivos entre organizaciones a trav\u00e9s de acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos.\n\nLa falta de comprobaciones de autorizaci\u00f3n en los puntos finales de las acciones masivas de dispositivos y la API de actualizaci\u00f3n de dispositivos permite a los usuarios autenticados dirigir dispositivos que pertenecen a otras organizaciones y realizar acciones fuera de su nivel de privilegio.\n\nUn atacante puede seleccionar dispositivos fuera de su organizaci\u00f3n manipulando los identificadores de los dispositivos y realizar acciones de gesti\u00f3n sobre ellos, como moverlos a productos que controlan. Esto puede permitir a los atacantes interferir con las actualizaciones de firmware, acceder a la funcionalidad del dispositivo expuesta por la plataforma o interrumpir la conectividad del dispositivo.\n\nEn entornos donde caracter\u00edsticas adicionales como el acceso a la consola remota est\u00e1n habilitadas, esto podr\u00eda llevar a un compromiso total de los dispositivos afectados.\n\nEste problema afecta a nerves_hub_web: desde la versi\u00f3n 1.0.0 anterior a la 2.4.0."}], "id": "CVE-2026-28806", "lastModified": "2026-05-27T13:47:15.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-03-10T22:16:18.420", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Third Party Advisory", "Patch"], "url": "https://cna.erlef.org/cves/CVE-2026-28806.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch"], "url": "https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3dc7c5bcd7526c"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-xvcx"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "tags": ["Third Party Advisory", "Patch"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-28806"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-668"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.4.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:otp/nerves_hub@1.0.0,pkg:otp/nerves_hub@2.4.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "nerves_hub_web", "source": "cna", "vendor": "nerves-hub"}, "product": "nerves_hub_web", "vendor": "nerves-hub"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.4.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=1.0.0,pkg:oci/nerves-hub?repository_url=ghcr.io/nerves-hub&tag=2.4.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "nerves_hub_web", "source": "cna", "vendor": "nerves-hub"}, "product": "nerves_hub_web", "vendor": "nerves-hub"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[adaeefdb7a835525482588f43332ef988cc448c7,1f69c9d595684a4650c3ac702f3dc7c5bcd7526c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[pkg:github/nerves-hub/nerves_hub_web@adaeefdb7a835525482588f43332ef988cc448c7,pkg:github/nerves-hub/nerves_hub_web@1f69c9d595684a4650c3ac702f3dc7c5bcd7526c)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "nerves_hub_web", "source": "cna", "vendor": "nerves-hub"}, "product": "nerves_hub_web", "vendor": "nerves-hub"}], "analysis": {"en": {"generated_at": "2026-04-15T22:40:39.130814+00:00", "value": {"mitigation_remediation": ["Upgrade Nerves Hub to version 2.4.0 or later where the authorization checks for device bulk actions and updates have been implemented.", "If an immediate upgrade is not feasible, restrict the device bulk action and device update API endpoints to administrators only, or disable them entirely in your deployment.", "Implement additional validation in your application to ensure that each device ID in bulk requests belongs to the requesting user's organization before performing any actions."], "summary": {"action": "Apply patch", "impact": "Unauthorized cross\u2011organization device control"}, "threat_synthesis": {"affected_systems": "The issue affects Nerves Hub's web application, versions from 1.0.0 up to (but not including) 2.4.0. The affected product is nerves_hub_web, maintained by the Nerves Hub project.", "description_and_impact": "The vulnerability is an improper authorization bug that lets an authenticated user perform bulk device actions or update commands on devices that belong to another organization. Because the API fails to verify that the caller has permission for each target device, the attacker can manipulate device identifiers to select devices outside their own organization. The resulting impact includes moving devices between products the attacker controls, tampering with firmware updates, and potentially enabling downstream attacks such as remote console access, which could lead to full device compromise.", "risk_and_exploitability": "The CVSS score of 9.4 indicates a critical severity, while the EPSS score of less than 1% suggests low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. An attacker would need valid credentials to a Nerves Hub account and would exploit the API endpoints for bulk actions or device updates. Once authenticated, the absence of per\u2011device authorization checks allows arbitrary manipulation of any device across organizational boundaries."}}}}, "created": "2026-03-11T11:39:19.861713+00:00", "updated": "2026-04-15T22:45:16.442875+00:00", "vendors": ["nerves-hub", "nerves-hub$PRODUCT$nerves_hub_web"]}