Improper authorization in device bulk actions and device update API allows cross-organization device control
Summary
| CVE | CVE-2026-28806 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-10 22:16:18 UTC |
| Updated | 2026-04-06 17:17:09 UTC |
| Description | Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perform management actions on them, such as moving them to products they control. This may allow attackers to interfere with firmware updates, access device functionality exposed by the platform, or disrupt device connectivity. In environments where additional features such as remote console access are enabled, this could lead to full compromise of affected devices. This issue affects nerves_hub_web: from 1.0.0 before 2.4.0. |
Risk And Classification
Primary CVSS: v4.0 9.4 CRITICAL from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-285 | CWE-668 | CWE-285 CWE-285 Improper Authorization | CWE-668 CWE-668 Exposure of Resource to Wrong Sphere
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Nerves-hub | Nerves Hub Web | affected 1.0.0 2.4.0 semver | Not specified |
| CNA | Nerves-hub | Nerves Hub Web | affected 1.0.0 2.4.0 semver | Not specified |
| CNA | Nerves-hub | Nerves Hub Web | affected adaeefdb7a835525482588f43332ef988cc448c7 1f69c9d595684a4650c3ac702f3dc7c5bcd7526c git | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| osv.dev/vulnerability/EEF-CVE-2026-28806 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| cna.erlef.org/cves/CVE-2026-28806.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-f8fr-mccc-... | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| github.com/nerves-hub/nerves_hub_web/commit/1f69c9d595684a4650c3ac702f3d... | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Josh Kalderimis / NervesHub team & NervesCloud (en)
CNA: Jonatan Männchen / EEF (en)
CNA: Lars Wikman / NervesHub team & NervesCloud (en)
There are currently no legacy QID mappings associated with this CVE.