CVE-2026-28806

Published: Mar 10, 2026 Last Modified: Mar 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,4
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API.

Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level.

An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity.

In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices.

This issue affects nerves_hub_web: from 1.0.0 before 2.4.0.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 7 Days)

285

Improper Authorization

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
668

Exposure of Resource to Wrong Sphere

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Other
Potential Impacts:
Read Application Data Modify Application Data Varies By Context
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d…
https://github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3…
https://github.com/nerves-hub/nerves_hub_web/security/advis…
https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc…